Jan 06, 2024NewsroomCyber Espionage / Supply Chain Attack

Telecommunication, media, internet service providers (ISPs), information technology (IT)-service providers, and Kurdish websites in the Netherlands have been targeted as part of a new cyber espionage campaign undertaken by a Türkiye-nexus threat actor known as Sea Turtle.

“The infrastructure of the targets was susceptible to supply chain and island-hopping attacks, which the attack group used to collect politically motivated information such as personal information on minority groups and potential political dissents,” Dutch security firm Hunt & Hackett said in a Friday analysis.

“The stolen information is likely to be exploited for surveillance or intelligence gathering on specific groups and or individuals.”

Sea Turtle, also known by the names Cosmic Wolf, Marbled Dust (formerly Silicon), Teal Kurma, and UNC1326, was first documented by Cisco Talos in April 2019, detailing state-sponsored attacks targeting public and private entities in the Middle East and North Africa.

Activities associated with the group are believed to have been ongoing since January 2017, primarily leveraging DNS hijacking to redirect prospective targets attempting to query a specific domain to an actor-controlled server capable of harvesting their credentials.

“The Sea Turtle campaign almost certainly poses a more severe threat than DNSpionage given the actor’s methodology in targeting various DNS registrars and registries,” Talos said at the time.

In late 2021, Microsoft noted that the adversary carries out intelligence collection to meet strategic Turkish interests from countries like Armenia, Cyprus, Greece, Iraq, and Syria, striking telecom and IT companies with an aim to “establish a foothold upstream of their desired target” via exploitation of known vulnerabilities.

Then last month, the adversary was revealed to be using a simple reverse TCP shell for Linux (and Unix) systems called SnappyTCP in attacks carried out between 2021 and 2023, according to the PricewaterhouseCoopers (PwC) Threat Intelligence team.

“The web shell is a simple reverse TCP shell for Linux/Unix that has basic [command-and-control] capabilities, and is also likely used for establishing persistence,” the company said. “There are at least two main variants; one which uses OpenSSL to create a secure connection over TLS, while the other omits this capability and sends requests in cleartext.”

The latest findings from Hunt & Hackett show that Sea Turtle continues to be a stealthy espionage-focused group, performing defense evasion techniques to fly under the radar and harvest email archives.

In one of the attacks observed in 2023, a compromised-but-legitimate cPanel account was used as an initial access vector to deploy SnappyTCP on the system. It’s currently not known how the attackers obtained the credentials.

“Using SnappyTCP, the threat actor sent commands to the system to create a copy of an email archive created with the tool tar, in the public web directory of the website that was accessible from the internet,” the firm noted.

“It is highly likely that the threat actor exfiltrated the email archive by downloading the file directly from the web directory.”

To mitigate the risks posed by such attacks, it’s advised that organizations enforce strong password policies, implement two-factor authentication (2FA), rate limit login attempts to reduce the chances of brute-force attempts, monitor SSH traffic, and keep all systems and software up-to-date.

Jan 05, 2024NewsroomCyber Attack / Data Breach

Ukrainian cybersecurity authorities have disclosed that the Russian state-sponsored threat actor known as Sandworm was inside telecom operator Kyivstar’s systems at least since May 2023.

The development was first reported by Reuters.

The incident, described as a “powerful hacker attack,” first came to light last month, knocking out access to mobile and internet services for millions of customers. Soon after the incident, a Russia-linked hacking group called Solntsepyok took responsibility for the breach.

Solntsepyok has been assessed to be a Russian threat group with affiliations to the Main Directorate of the General Staff of the Armed Forces of the Russian Federation (GRU), which also operates Sandworm.

The advanced persistent threat (APT) actor has a track record of orchestrating disruptive cyber attacks, with Denmark accusing the hacking outfit of targeting 22 energy sector companies last year.

Illia Vitiuk, head of the Security Service of Ukraine’s (SBU) cybersecurity department, said the attack against Kyivstar wiped out nearly everything from thousands of virtual servers and computers.

The incident, he said, “completely destroyed the core of a telecoms operator,” noting the attackers had full access likely at least since November, months after obtaining an initial foothold into the company’s infrastructure.

“The attack had been carefully prepared during many months,” Vitiuk said in a statement shared on the SBU’s website.

Kyivstar, which has since restored its operations, said there is no evidence that the personal data of subscribers has been compromised. It’s currently not known how the threat actor penetrated its network.

It’s worth noting that the company had previously dismissed speculations about the attackers destroying its computers and servers as “fake.”

The disclosure comes as the SBU revealed earlier this week that it took down two online surveillance cameras that were allegedly hacked by Russian intelligence agencies to spy on the defense forces and critical infrastructure in the capital city of Kyiv.

The agency said the compromise allowed the adversary to gain remote control of the cameras, adjust their viewing angles, and connect them to YouTube to capture “all visual information in the range of the camera.”

Dec 29, 2023NewsroomCyber Attack / Web Security

The Assembly of the Republic of Albania and telecom company One Albania have been targeted by cyber attacks, the country’s National Authority for Electronic Certification and Cyber Security (AKCESK) revealed this week.

“These infrastructures, under the legislation in force, are not currently classified as critical or important information infrastructure,” AKCESK said.

One Albania, which has nearly 1.5 million subscribers, said in a Facebook post on December 25 that it had handled the security incident without any issues and that its services, including mobile, landline, and IPTV, remained unaffected.

AKCESK further noted that the intrusions did not originate from Albanian IP addresses, adding it managed to “identify potential cases in real-time.”

The agency also said that it has been focusing its efforts on identifying the source of the attacks, recovering compromised systems, and implementing security measures to prevent such incidents from happening again in the future.

What’s more, AKCESK said the incident has prompted it to review and strengthen its cybersecurity strategies.

The exact scale and scope of the attacks are currently not known, but an Iranian hacker group called Homeland Justice claimed responsibility on its Telegram channel, alongside stating that it had hacked flag carrier airline Air Albania.

In a message shared on its website on December 24, the outfit said it is “back to destroy supporters of terrorists,” alongside adding the following tags: #albania, #albaniahack, #CyberAttacks, #mek, #MKO, #ncri, #NLA, #pmoi, #Terrorists.

The development comes more than a year after Albanian government services were targeted by destructive cyber attacks in mid-July 2022.

Homeland Justice claimed responsibility for those attacks as well. The development subsequently prompted the U.S. government to sanction Iran’s Ministry of Intelligence and Security (MOIS) and its Minister of Intelligence, Esmail Khatib, for engaging in cyber-enabled activities against the U.S. and its allies.

Dec 19, 2023NewsroomCyber Espionage / Cyber Attack

The Iranian nation-state actor known as MuddyWater has leveraged a newly discovered command-and-control (C2) framework called MuddyC2Go in its attacks on the telecommunications sector in Egypt, Sudan, and Tanzania.

The Symantec Threat Hunter Team, part of Broadcom, is tracking the activity under the name Seedworm, which is also tracked under the monikers Boggy Serpens, Cobalt Ulster, Earth Vetala, ITG17, Mango Sandstorm (formerly Mercury), Static Kitten, TEMP.Zagros, and Yellow Nix.

Active since at least 2017, MuddyWater is assessed to be affiliated with Iran’s Ministry of Intelligence and Security (MOIS), primarily singling out entities in the Middle East.

The cyber espionage group’s use of MuddyC2Go was first highlighted by Deep Instinct last month, describing it as a Golang-based replacement for PhonyC2, itself a successor to MuddyC3. However, there is evidence to suggest that it may have been employed as early as 2020.

While the full extent of MuddyC2Go’s capabilities is not yet known, the executable comes fitted with a PowerShell script that automatically connects to Seedworm’s C2 server, thereby giving the attackers remote access to a victim system and obviating the need for manual execution by an operator.

The latest set of intrusions, which took place in November 2023, have also been found to rely on SimpleHelp and Venom Proxy, alongside a custom keylogger and other publicly available tools.

Attack chains mounted by the group have a track record of weaponizing phishing emails and known vulnerabilities in unpatched applications for initial access, followed by conducting reconnaissance, lateral movement, and data collection.

In the attacks documented by Symantec targeting an unnamed telecommunications organization, the MuddyC2Go launcher was executed to establish contact with an actor-controlled server, while also deploying legitimate remote access software like AnyDesk and SimpleHelp.

The entity is said to have been previously compromised by the adversary earlier in 2023 in which SimpleHelp was used to launch PowerShell, deliver proxy software, and also install the JumpCloud remote access tool.

“In another telecommunications and media company targeted by the attackers, multiple incidents of SimpleHelp were used to connect to known Seedworm infrastructure,” Symantec noted. “A custom build of the Venom Proxy hacktool was also executed on this network, as well as the new custom keylogger used by the attackers in this activity.”

By utilizing a combination of bespoke, living-off-the-land, and publicly available tools in its attack chains, the goal is to evade detection for as long as possible to meet its strategic objectives, the company said.

“The group continues to innovate and develop its toolset when required in order to keep its activity under the radar,” Symantec concluded. “The group still makes heavy use of PowerShell and PowerShell-related tools and scripts, underlining the need for organizations to be aware of suspicious use of PowerShell on their networks.”

The development comes as an Israel-linked group called Gonjeshke Darande (meaning “Predatory Sparrow” in Persian) claimed responsibility for a cyber attack that disrupted a “majority of the gas pumps throughout Iran” in response to the “aggression of the Islamic Republic and its proxies in the region.”

The group, which reemerged in October 2023 after going quiet for nearly a year, is believed to be linked to the Israeli Military Intelligence Directorate, having conducted destructive attacks in Iran, including steel facilities, petrol stations, and rail networks in the country.

The cyber assault also follows an advisory from the Israel National Cyber Directorate (INCD) that accused Iran and the pro-Hamas group Hezbollah of unsuccessfully attempting to disrupt Ziv Hospital, attributing the attack to threat actors named Agrius and Lebanese Cedar.

“The attack was executed by the Iranian Ministry of Intelligence with the involvement of Hezbollah’s ‘Lebanese Cedar’ cyber units under the leadership of Mohammad Ali Merhi,” the INCD said.