A new cyber threat campaign called “Sea Turtle” has been discovered. The ongoing operation began in January 2017 and continued through the first quarter of 2019.

The campaign is targeting public and private sectors which are mainly located in the Middle East and North Africa, where at least 40 different organizations across 13 countries were compromised.


How it works

The mechanism of the actors is using DNS hijacking technique, by modifying the DNS name records to point users to actor-controlled servers and start capturing legitimate users’ credentials using man-in-the-middle (MitM). The threat actors also steal the organization’s SSL certificate once they get access to the network. Then, they use the certificate on actor-controlled servers to perform additional MitM operations to harvest additional credentials.

The threat actors gain the initial access by exploiting known vulnerabilities or by sending spear-phishing emails. The actors exploited multiple known CVEs to either gain initial access or to move laterally within an affected organization.

The actors avoid being detected by performing Certificate impersonation, by getting a certificate authority-signed X.509 certificate from another provider for the same domain which is owned by the victim organization.

For further details, click the download button below!