{
	"id": "cb60ee5b-59be-4fb2-aba4-7167d05a935d",
	"created_at": "2026-04-06T00:10:47.837678Z",
	"updated_at": "2026-04-10T03:32:26.519206Z",
	"deleted_at": null,
	"sha1_hash": "7409163c16c403f0335aee76615798fd4fda2539",
	"title": "On Sea Turtle campaign targeting Greek governmental organisations",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 356408,
	"plain_text": "On Sea Turtle campaign targeting Greek governmental\r\norganisations\r\nBy andreas.sfakianakis\r\nPublished: 2020-02-25 · Archived: 2026-04-05 15:03:29 UTC\r\nOn 23 February 2020, greek news media reported that Greece Prime Minister’s office, the Ministry of Foreign\r\nAffairs, the National Intelligence Service and the Greek Police were the targets of an international cyber espionage\r\ncampaign in April 2019 named Sea Turtle. This is one of the most significant cyber espionage activities against\r\nGreece that is publicly known.  Sea Turtle campaign has been initially reported by Cisco Talos Intelligence\r\nGroup last year.\r\nSee the below timeline:\r\n1. 17 April 2019: Talos reported the initial findings related to Sea Turtle campaign. Talos investigation\r\nrevealed that at least 40 different organizations across 13 different countries (mostly located primarily in\r\nthe Middle East and North Africa) were compromised during this campaign. Talos also assessed that this\r\ncampaign was carried out by an advanced, state-sponsored actor that seeks to obtain persistent access to\r\nsensitive networks and systems. Finally, Talos assessed that Sea Turtle operations were distinctly different\r\nand independent from the operations performed by DNSpionage campaign, which was reported on in\r\nNovember 2018.\r\nSee link\r\nhttps://threatintel.eu/2020/02/25/on-sea-turtle-campaign-targeting-greek-governmental-organisations-timeline\r\nPage 1 of 3\n\n2. 19 April 2019: ICS-FORTH is the institution that manages the .gr and .ελ top-level domains for Greece.\r\nICS-FORTH notified the domain name owners about a cyber attack against the registry of .gr and .ελ\r\ndomain names.\r\nSee link (in greek)\r\n3. 9 July 2019: Talos reported additional findings of Sea Turtle campaign that included the targeting of ICS-FORTH. According to Talos, the adversaries behind the Sea Turtle campaign had access to the ICS-FORTH network at least until 24 April 2019 (for another five days after ICS-FORTH publicly disclosed the\r\nincident on 19 April 2019).\r\nSee link\r\n4. 27 January 2020: Reuters reported that hackers acting in the interests of the Turkish government believed\r\nto be behind cyber-attacks against Greek government’s email services (among other targets). According to\r\nsenior Western officials, the above assessment was conducted based on victimology, infrastructure, and\r\nother confidential information.\r\nSee link\r\n5. 23 February 2020: Greek media reports that during April 2019 the domains @primeminister[.]gr (Greek\r\nPrime Minister), @mfa[.]gr (Greek Ministry of Foreign Affairs), @nis[.]gr (Greek Intelligence Service)\r\nand @astynomia[.]gr (Greek Police) have been impacted by Sea Turtle campaign. According to the article,\r\nthe victims reckoned that an email malfunction was due to a cyberattack against the .gr and .el domain\r\nnames registry, whose technical support is provided by ICS-FORTH. While there are a lot of speculations,\r\nthe impact of the cyber-attack is still not known.\r\nSee link\r\nSee link (in greek)\r\nBased on the public information available, one could assess with low confidence that the intrusion activity\r\nreported by Reuters (#4) is linked to the Sea Turtle campaign because of the similar TTP used (DNS hijacking\r\ntechnique), victimology (Greece, Cyprus, Iraq, Ministries of foreign affairs, Intelligence agencies, governmental\r\nemail services), and attack timestamp (early 2019 for Greek governmental organisations).\r\nOne major lesson learned that needs to be captured  is what Christopher Glyer mentioned in Twitter:\r\nSecuring (inter)national critical infrastructure should be of utmost priority. This infrastructure will inevitably be\r\ntargeted by capable adversaries and potentially compromised (assume breach mentality). What we can do as\r\ndefenders is to better prepare and develop the capabilities needed to prevent and respond to such activities. This\r\nrequires the relevant strategy and commitment from a resources perspective (think about people, processes and\r\ntechnology).\r\nMoreover, it is also important to use the proper narrative when talking in public about such security incidents.\r\nAttribution in the cyber space is a difficult and an expensive activity. During the past month, there was a lot of\r\nmedia reporting in Greece about “cyber-attacks coming from Turkey” presenting no evidence or no structure\r\napproach on the attribution. “Turkey did it/Turkish hackers did it” was such a wrong way to present it. In cyber\r\nspace, infrastructure can be reused and we have also seen false flag operations where adversaries try to fool the\r\nvictim on their identity. Public discussion on such cyber security incidents should be more professional and\r\nresponsible to prevent circulation of information that is not backed by evidence or a solid assessment.\r\nhttps://threatintel.eu/2020/02/25/on-sea-turtle-campaign-targeting-greek-governmental-organisations-timeline\r\nPage 2 of 3\n\nPost navigation\r\nSource: https://threatintel.eu/2020/02/25/on-sea-turtle-campaign-targeting-greek-governmental-organisations-timeline\r\nhttps://threatintel.eu/2020/02/25/on-sea-turtle-campaign-targeting-greek-governmental-organisations-timeline\r\nPage 3 of 3",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MISPGALAXY",
		"Malpedia"
	],
	"references": [
		"https://threatintel.eu/2020/02/25/on-sea-turtle-campaign-targeting-greek-governmental-organisations-timeline"
	],
	"report_names": [
		"on-sea-turtle-campaign-targeting-greek-governmental-organisations-timeline"
	],
	"threat_actors": [
		{
			"id": "cfdd35af-bd12-4c03-8737-08fca638346d",
			"created_at": "2022-10-25T16:07:24.165595Z",
			"updated_at": "2026-04-10T02:00:04.887031Z",
			"deleted_at": null,
			"main_name": "Sea Turtle",
			"aliases": [
				"Cosmic Wolf",
				"Marbled Dust",
				"Silicon",
				"Teal Kurma",
				"UNC1326"
			],
			"source_name": "ETDA:Sea Turtle",
			"tools": [
				"Drupalgeddon"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "33ae2a40-02cd-4dba-8461-d0a50e75578b",
			"created_at": "2023-01-06T13:46:38.947314Z",
			"updated_at": "2026-04-10T02:00:03.155091Z",
			"deleted_at": null,
			"main_name": "Sea Turtle",
			"aliases": [
				"UNC1326",
				"COSMIC WOLF",
				"Marbled Dust",
				"SILICON",
				"Teal Kurma"
			],
			"source_name": "MISPGALAXY:Sea Turtle",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "8d76e350-dfb5-4733-800d-876de41f690d",
			"created_at": "2023-01-06T13:46:38.841887Z",
			"updated_at": "2026-04-10T02:00:03.119083Z",
			"deleted_at": null,
			"main_name": "DNSpionage",
			"aliases": [
				"COBALT EDGEWATER"
			],
			"source_name": "MISPGALAXY:DNSpionage",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "4632103e-8035-4a83-9ecb-c1e12e21288c",
			"created_at": "2022-10-25T16:07:23.542255Z",
			"updated_at": "2026-04-10T02:00:04.64888Z",
			"deleted_at": null,
			"main_name": "DNSpionage",
			"aliases": [],
			"source_name": "ETDA:DNSpionage",
			"tools": [
				"Agent Drable",
				"AgentDrable",
				"CACTUSPIPE",
				"DNSpionage",
				"DropperBackdoor",
				"Karkoff",
				"MailDropper",
				"OILYFACE"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "67b2c161-5a04-4e3d-8ce7-cce457a4a17b",
			"created_at": "2025-08-07T02:03:24.722093Z",
			"updated_at": "2026-04-10T02:00:03.681914Z",
			"deleted_at": null,
			"main_name": "COBALT EDGEWATER",
			"aliases": [
				"APT34 ",
				"Cold River ",
				"DNSpionage "
			],
			"source_name": "Secureworks:COBALT EDGEWATER",
			"tools": [
				"AgentDrable",
				"DNSpionage",
				"Karkoff",
				"MailDropper",
				"SideTwist",
				"TWOTONE"
			],
			"source_id": "Secureworks",
			"reports": null
		},
		{
			"id": "62b1b01f-168d-42db-afa1-29d794abc25f",
			"created_at": "2025-04-23T02:00:55.22426Z",
			"updated_at": "2026-04-10T02:00:05.358041Z",
			"deleted_at": null,
			"main_name": "Sea Turtle",
			"aliases": [
				"Sea Turtle",
				"Teal Kurma",
				"Marbled Dust",
				"Cosmic Wolf",
				"SILICON"
			],
			"source_name": "MITRE:Sea Turtle",
			"tools": [
				"SnappyTCP"
			],
			"source_id": "MITRE",
			"reports": null
		}
	],
	"ts_created_at": 1775434247,
	"ts_updated_at": 1775791946,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/7409163c16c403f0335aee76615798fd4fda2539.pdf",
		"text": "https://archive.orkl.eu/7409163c16c403f0335aee76615798fd4fda2539.txt",
		"img": "https://archive.orkl.eu/7409163c16c403f0335aee76615798fd4fda2539.jpg"
	}
}