{ "id": "e16cb7f7-a206-495c-934e-b09aa15cef8c", "created_at": "2026-04-06T00:20:18.406177Z", "updated_at": "2026-04-10T03:32:26.52051Z", "deleted_at": null, "sha1_hash": "1b0f8ed4b6b59c4b2e15219cf51daf30145c5bc9", "title": "Sea Turtle - Threat Group Cards: A Threat Actor Encyclopedia", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 61316, "plain_text": "Sea Turtle - Threat Group Cards: A Threat Actor Encyclopedia\r\nArchived: 2026-04-05 14:59:30 UTC\r\n APT group: Sea Turtle\r\nNames\r\nSea Turtle (Talos)\r\nSilicon (Microsoft)\r\nUNC1326 (FireEye)\r\nMarbled Dust (Microsoft)\r\nTeal Kurma (PwC)\r\nCosmic Wolf (CrowdStrike)\r\nCountry Turkey\r\nMotivation Information theft and espionage\r\nFirst seen 2017\r\nDescription\r\n(Talos) Cisco Talos has discovered a new cyber threat campaign that we are calling\r\n“Sea Turtle,” which is targeting public and private entities, including national\r\nsecurity organizations, located primarily in the Middle East and North Africa. The\r\nongoing operation likely began as early as January 2017 and has continued through\r\nthe first quarter of 2019. Our investigation revealed that at least 40 different\r\norganizations across 13 different countries were compromised during this campaign.\r\nWe assess with high confidence that this activity is being carried out by an advanced,\r\nstate-sponsored actor that seeks to obtain persistent access to sensitive networks and\r\nsystems.\r\nThe actors behind this campaign have focused on using DNS hijacking as a\r\nmechanism for achieving their ultimate objectives. DNS hijacking occurs when the\r\nactor can illicitly modify DNS name records to point users to actor-controlled\r\nservers. The Department of Homeland Security (DHS) issued an alert about this\r\nactivity on Jan. 24 2019, warning that an attacker could redirect user traffic and\r\nobtain valid encryption certificates for an organization’s domain names.\r\nObserved\r\nSectors: Aerospace, Defense, Energy, Government, NGOs, Telecommunications,\r\nThink Tanks and Intelligence agencies.\r\nCountries: Albania, Armenia, Cyprus, Egypt, Greece, Iraq, Jordan, Lebanon, Libya,\r\nNetherlands, Sudan, Sweden, Switzerland, Syria, Turkey, UAE, USA.\r\nTools used Drupalgeddon and DNS hijacking.\r\nhttps://apt.etda.or.th/cgi-bin/showcard.cgi?u=4227fdb4-8b95-410d-9b06-3697c5edd064\r\nPage 1 of 2\n\nOperations performed\nJan 2018\nTalos now has moderate confidence that the threat actors behind Sea\nTurtle have been using another DNS hijacking technique. This new\ntechnique has been used very sparingly, and thus far have only\nidentified two entities that were targeted in 2018, though we believe\nthere are likely more.\nApr 2019\nThe Institute of Computer Science of the Foundation for Research and\nTechnology – Hellas (ICS-Forth), the ccTLD for Greece,\nacknowledged on its public website that its network had been\ncompromised on April 19, 2019. Based on Cisco telemetry, we\ndetermined that the actors behind the Sea Turtle campaign had access\nto the ICS-Forth network.\n2021\nTurkish espionage campaigns in the Netherlands\nInformation\nLast change to this card: 28 June 2025\nDownload this actor card in PDF or JSON format\nSource: https://apt.etda.or.th/cgi-bin/showcard.cgi?u=4227fdb4-8b95-410d-9b06-3697c5edd064\nhttps://apt.etda.or.th/cgi-bin/showcard.cgi?u=4227fdb4-8b95-410d-9b06-3697c5edd064\nPage 2 of 2", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://apt.etda.or.th/cgi-bin/showcard.cgi?u=4227fdb4-8b95-410d-9b06-3697c5edd064" ], "report_names": [ "showcard.cgi?u=4227fdb4-8b95-410d-9b06-3697c5edd064" ], "threat_actors": [ { "id": "9de1979b-40fc-44dc-855d-193edda4f3b8", "created_at": "2025-08-07T02:03:24.92723Z", "updated_at": "2026-04-10T02:00:03.755516Z", "deleted_at": null, "main_name": "GOLD LOCUST", "aliases": [ "Anunak", "Carbanak", "Carbon Spider ", "FIN7 ", "Silicon " ], "source_name": "Secureworks:GOLD LOCUST", "tools": [ "Carbanak" ], "source_id": "Secureworks", "reports": null }, { "id": "cfdd35af-bd12-4c03-8737-08fca638346d", "created_at": "2022-10-25T16:07:24.165595Z", "updated_at": "2026-04-10T02:00:04.887031Z", "deleted_at": null, "main_name": "Sea Turtle", "aliases": [ "Cosmic Wolf", "Marbled Dust", "Silicon", "Teal Kurma", "UNC1326" ], "source_name": "ETDA:Sea Turtle", "tools": [ "Drupalgeddon" ], "source_id": "ETDA", "reports": null }, { "id": "33ae2a40-02cd-4dba-8461-d0a50e75578b", "created_at": "2023-01-06T13:46:38.947314Z", "updated_at": "2026-04-10T02:00:03.155091Z", "deleted_at": null, "main_name": "Sea Turtle", "aliases": [ "UNC1326", "COSMIC WOLF", "Marbled Dust", "SILICON", "Teal Kurma" ], "source_name": "MISPGALAXY:Sea Turtle", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "62b1b01f-168d-42db-afa1-29d794abc25f", "created_at": "2025-04-23T02:00:55.22426Z", "updated_at": "2026-04-10T02:00:05.358041Z", "deleted_at": null, "main_name": "Sea Turtle", "aliases": [ "Sea Turtle", "Teal Kurma", "Marbled Dust", "Cosmic Wolf", "SILICON" ], "source_name": "MITRE:Sea Turtle", "tools": [ "SnappyTCP" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775434818, "ts_updated_at": 1775791946, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/1b0f8ed4b6b59c4b2e15219cf51daf30145c5bc9.pdf", "text": "https://archive.orkl.eu/1b0f8ed4b6b59c4b2e15219cf51daf30145c5bc9.txt", "img": "https://archive.orkl.eu/1b0f8ed4b6b59c4b2e15219cf51daf30145c5bc9.jpg" } }