Turkish threat actors suspected in Sea Turtle attacks.
Reuters on Monday cited anonymous UK and US officials as saying that hackers acting in the interests of the Turkish government are suspected to be responsible for a large-scale DNS hijacking campaign that targeted government agencies, companies, and other organizations. The officials based their assessment on the fact that the campaign's targeting was aligned with Turkish geopolitical interests, the fact that it bore similarities to prior attacks launched from Turkish infrastructure, and, perhaps most importantly, "information contained in confidential intelligence assessments that they declined to detail."
Reuters identified at least thirty victims of the campaign, which included email services belonging to the governments of Greece and Cyprus, the Iraqi government’s national security adviser, Albanian state intelligence, and domestic Turkish organizations. Reuters examined public DNS records to identify when the websites were redirected to attacker-controlled servers, and found that much of the hijacked traffic was intended for "login portals for email services, cloud storage servers and online networks." Reuters reporter Chris Bing stated on Twitter that his sources indicated that the hackers were in a position "to intercept all Internet traffic going to several countries in the Middle East."
Bing also confirmed that these hackers were behind the campaign tracked by Cisco Talos as "Sea Turtle." Researchers at Talos believe the operation has been ongoing since January 2017, and they noted in April 2019 that "the threat actors have continued their attacks despite public reports documenting various aspects of their activity, suggesting they are unusually brazen and may be difficult to deter going forward."