Home / Industry

Tracking Down Sea Turtle IoCs in the DNS Ocean

The Sea Turtle threat group recently made headlines when it expanded its operations to target ISPs and telecommunications and media companies in the Netherlands. In the past, Sea Turtle primarily targeted organizations in the Middle East and the U.S. using DNS hijacking and man-in-the-middle (MitM) attacks.

Before news about the threat group’s attack on Dutch organizations, StrikeReady published a list of indicators of compromise (IoCs) comprising 14 IP addresses, eight subdomains, and 15 domains. To find more digital footprints and connected artifacts, the WhoisXML API research team expanded the IoC list that led to the discovery of:

  • 81 email-connected domains
  • 12 additional IP addresses
  • 13 IP-connected domains
  • 204 string-connected domains

A sample of the additional artifacts obtained from our analysis is available for download on our website.

Infrastructure Analysis of the Sea Turtle IoCs

Following our usual first step, we analyzed the Sea Turtle IoCs to uncover more details. We began by performing a bulk WHOIS lookup for 21 domains (15 domains and six domains extracted from the subdomains tagged as IoCs) and found that:

  • They were administered by 10 different registrars—NameSilo LLC and Namecheap, which accounted for four domains each; EuroDNS S.A., GoDaddy, and Hosting Concepts with two domains each; and IHS Telekom, Inc., Gname.com, Dynadot, 1API GmbH, and PDR Ltd. with one domain each. Two IoCs did not have current registrar data.
  • One domain was created in 2024, 10 in 2023, five in 2022, one in 2020, one in 2002, and the oldest was created in 2000. The remaining two domains had no creation dates in their current WHOIS records.

  • They were spread across six registrant countries. Nine were registered in the U.S., four in Iceland, two each in Luxembourg and the Netherlands, and one each in Japan and Germany. Two domains did not have current registrant country data.

We also subjected the domain IoCs to a screenshot analysis, which revealed that some continued to host live content. They included the websites below.

Screenshot of domain IoC splendor[.]org
Screenshot of domain IoC splendos[.]org

Next, we did a bulk IP geolocation lookup on the 14 IP addresses listed as IoCs, which revealed that:

  • They were spread across six geolocation countries—six in the Netherlands; two each in the U.S., Lithuania, and Bulgaria; and one each in Germany and the U.K.
  • They were administered by seven ISPs led by BL Networks, which accounted for six IP addresses. BACLOUD-BITE and Neterra Ltd. managed two IP addresses each while DigitalOcean, LLC, Akamai Technologies, Inc., Mvps LTD, and The Constant Company, LLC handled one IP address each.

Uncovering Sea Turtle DNS Connections

We then searched the DNS for more traces of Sea Turtle resources.

WHOIS History API searches for the domain IoCs led to the discovery of 33 email addresses in their historical WHOIS records. Although only one of the email addresses was public, Reverse WHOIS API searches showed that it appeared in the current WHOIS records of 81 domains after duplicates and IoCs were filtered out.

Next, we performed DNS lookups on the 21 domain IoCs, which led us to 12 unique IP addresses, excluding those already tagged as IoCs.

IP geolocation lookups for the 12 additional IP addresses showed that:

  • They were spread across two countries that were also the origin of three IoCs. Eleven of the IP addresses were geolocated in the U.S. while one pointed to Germany as its origin.
  • They were managed by three ISPs—Cloudflare with eight IP addresses, Amazon with three, and Namecheap with one.

  • Threat Intelligence API also revealed that all 12 IP addresses were involved in various threats. A few examples are shown in the table below.

    IP ADDRESSESASSOCIATED THREAT TYPES
    3[.]33[.]130[.]190Phishing
    Malware
    Command-and-control (C2)
    Generic
    Suspicious
    15[.]197[.]148[.]33Phishing
    Malware
    C2
    Generic
    Suspicious
    104[.]21[.]67[.]252Phishing
    Malware
    Generic
    172[.]67[.]183[.]141Phishing
    Malware
    Generic
    2606:4700:3034::6815:43fcPhishing
    Malware
    Generic

Reverse IP lookups for the 12 additional IP addresses and 14 IP address IoCs revealed that eight were potentially dedicated. They led to 13 IP-connected domains after duplicates, the IoCs, and email-connected domains were removed.

Screenshot analyses for the IP-connected domains revealed that one domain—rocosmetic[.]club—hosted content similar to Dom Sentivo, a nursing home in Ilid┼ża, Bosnia and Herzegovina.

Screenshot of IP-connected domain rocosmetic[.]club
Screenshot of domsentivo[.]com

The final step of our investigation entailed looking for string-connected domains using Domains & Subdomains Discovery with the Starts with search parameter. We found 202 domains containing these four text strings that appeared in the domain IoCs:

  • splendor.
  • splendos.
  • solhaber.
  • xtechsupport.

We also found two additional subdomains that began with the text string ai-connector, which also appeared in two subdomains tagged as IoCs. The total number of string-connected domains we discovered was 204, after removing duplicates, the IoCs, and email- and IP-connected domains.

Threat intelligence lookups revealed that one of the string-connected domains—splendor[.]es—was associated with malicious command and control and malware attacks. It hosted the following content based on a screenshot lookup:

Screenshot of domsentivo[.]com

Our expansion of the Sea Turtle IoCs led to the discovery of 311 potentially connected artifacts comprising one personal email address, 81 email-connected domains, 12 additional IP addresses, 13 IP-connected domains, and 204 string-connected domains. We also found several suspicious and malicious web properties, including 12 IP addresses, one IP-connected domain, and one string-connected domain.

If you wish to perform a similar investigation or learn more about the products used in this research, please don’t hesitate to contact us.

Disclaimer: We take a cautionary stance toward threat detection and aim to provide relevant information to help protect against potential dangers. Consequently, it is possible that some entities identified as “threats” or “malicious” may eventually be deemed harmless upon further investigation or changes in context. We strongly recommend conducting supplementary investigations to corroborate the information provided herein.

By WhoisXML API, A Domain Research, Whois, DNS, and Threat Intelligence API and Data Provider

Whois API, Inc. (WhoisXML API) is a big data and API company that provides domain research & monitoring, Whois, DNS, IP, and threat intelligence API, data and tools to a variety of industries.

Visit Page

Filed Under

Comments

Commenting is not available in this channel entry.
CircleID Newsletter The Weekly Wrap

More and more professionals are choosing to publish critical posts on CircleID from all corners of the Internet industry. If you find it hard to keep up daily, consider subscribing to our weekly digest. We will provide you a convenient summary report once a week sent directly to your inbox. It's a quick and easy read.

I make a point of reading CircleID. There is no getting around the utility of knowing what thoughtful people are thinking and saying about our industry.

VINTON CERF
Co-designer of the TCP/IP Protocols & the Architecture of the Internet

Related

Topics

Threat Intelligence

Sponsored byWhoisXML API

New TLDs

Sponsored byRadix

Domain Names

Sponsored byVerisign

Brand Protection

Sponsored byCSC

DNS

Sponsored byDNIB.com

Cybersecurity

Sponsored byVerisign

IPv4 Markets

Sponsored byIPv4.Global