Sea Turtle is a Türkiye-nexus threat actor known for conducting state-affiliated espionage operations since at least 2017. The group has primarily targeted government agencies, IT service providers, and the telecommunications sector, with a notable evolution in tactics over the past decade.
Sea Turtle initially gained attention for its DNS hijacking campaigns, which redirected traffic to steal credentials, often targeting Middle Eastern and European entities. This activity persisted from 2017 through 2020. By 2021, the group had shifted toward exploiting exposed credentials and known vulnerabilities to gain access to internet service providers and related infrastructure, often as a path to reach downstream victims. This mentioned activity continued into 2023, when Sea Turtle was observed deploying a custom Linux/Unix implant and expanding into cloud-focused intrusions.
In one case, the group targeted a technology company’s cloud environment using stolen credentials to attempt data theft. Using the cloud environments command line they altered security group settings to allow direct Secure Shell (SSH) access. Since April 2024, Sea Turtle has been observed exploiting unpatched user accounts vulnerable to a zero-day (CVE-2025-27920) in Output Messenger, a cross-platform enterprise messaging application.
Cloud TTPs
All of the details below are also available in our GitHub repository, which provides background on each observed technique along with corresponding MITRE ATT&CK mappings, making it easy to map these insights directly to your cloud logs.
Sea Turtle – Tactics Accordion
Click a tactic to view the procedure details.
Tactic
ID
Technique
Initial Access
T1078.004
Valid Accounts: Cloud Accounts
Sea Turtle used stolen AWS IAM keys or Azure Entra ID credentials to authenticate and access cloud environments,
enabling unauthorized API calls.
Execution
T1059.009
Command and Scripting Interpreter: Cloud API
Executed malicious commands via AWS CLI or Azure CLI/PowerShell to manage resources (EC2/S3/IAM; VMs/Blob/Entra ID).
Persistence
T1543.005
Create or Modify System Process: Container Services
Modified security group rules to allow SSH (22) from attacker infrastructure, ensuring persistent access.
Defense Evasion
T1578
Modify Cloud Compute Infrastructure
Opened SSH by altering network controls, blending with legit admin activity to evade detection.
Collection
T1530
Data from Cloud Storage
Queried or downloaded sensitive data from cloud storage/compute using stolen credentials and CLI access.
Command and Control
T1071
Application Layer Protocol
Used SSH (TCP/22) as the C2 channel to manage compromised instances remotely.
Exfiltration
T1041
Exfiltration Over C2 Channel
Likely transferred data to actor infrastructure through the established SSH-based C2 channel.
Inferences and Limitations
In CrowdStrike’s 2023 Cloud Risk Report, they briefly describe how Cosmic Wolf (a.k.a. Sea Turtle), targeted data in a victim’s cloud environment. The report is provider-agnostic, yet the combination of ‘security group’ changes and CLI usage suggests either AWS or Azure.
Additionally, we assess it is likely the actor used T1530 (Data from Cloud Storage Object) and T1537 (Exfiltration to Cloud Account), inferred from the objective of targeting stored cloud data; this is consistent with common cloud-intrusion tradecraft. However, the report does not provide details on:
How credentials were stolen;
What specific data was accessed (e.g., S3 vs. RDS); or
Whether any exfiltration was confirmed.
Furthermore, there is no mention of the use of other services (e.g., Lambda, IAM role creation, or temporary credentials), which limits visibility into potential persistence or privilege escalation techniques (e.g., T1078.004, T1098).
Incident Response Steps
Below are several high-impact steps to prepare for and respond to the TTPs mentioned above. The list isn’t exhaustive, but it highlights key areas where defenders can focus their efforts. Click each step to view additional details.
1. Investigate Suspicious CLI API Activity
Confirm scope of compromise from unauthorized CLI usage.
Action
AWS
Azure
Investigate
Review CloudTrail logs for management and data event API calls (e.g., EC2, S3, IAM).
Identify AWS CLI activity from non-organization IPs.
Validate new or unexpected API keys using GuardDuty findings.
Review Azure Activity Log for administrative and data operations (VMs, Blob, Entra ID).
Identify Azure CLI activity from non-organization IPs via Azure Monitor queries.
Validate new or unexpected credentials using Defender for Cloud alerts or Entra ID sign-in logs.
Harden
Restrict API key creation/usage to trusted IPs via IAM.
Enable MFA for IAM users and roles.
Use short-term keys.
Restrict credential creation/usage to trusted IPs via Entra ID Conditional Access & RBAC.
Enable MFA for Entra ID users and service principals.
Use short-lived tokens or managed identities.
2. Investigate Unauthorized SSH Security Group Changes
Confirm persistent access via modified security group rules.
Action
AWS
Azure
Investigate
Check AWS Config for security group rules opening port 22.
Compare current EC2 security group rules to historical baselines.
Check Resource Graph or Activity Log for NSG rules opening port 22.
Compare VM NSG rules to historical baselines via Azure Policy or Defender for Cloud.
Harden
Revert unauthorized TCP/22 rules using Lambda or AWS CLI.
Implement automated monitoring for security group changes.
Revert unauthorized TCP/22 rules using Azure Functions or Azure CLI.
Implement automated monitoring for NSG changes via Azure Monitor alerts.
3. Contain Cloud Data Store Access
Block unauthorized access to sensitive data stores.
Action
AWS
Azure
Investigate
Review IAM policies for S3, EBS, RDS to identify over-permissive access.
Verify encryption and access logs (S3, RDS) for evidence of data access.
Review RBAC for Blob Storage, Azure Disks, Azure SQL Database.
Verify encryption and access logs (Blob, SQL Audit Logs) for evidence of data access.
Harden
Update IAM policies to block anomalous principals or roles.
Enforce encryption and least-privilege for all data stores.
Update RBAC roles to block anomalous principals or service principals.
Enforce encryption (e.g., Azure Disk Encryption) and least-privilege for all data stores.
Analyze VPC Flow Logs for inbound/outbound SSH (TCP/22) to non-organization IPs.
Check Route 53 DNS logs for suspicious domain resolutions.
Correlate Flow Logs with CloudTrail in Security Hub to map attacker activity.
Analyze NSG Flow Logs for inbound/outbound SSH (TCP/22) to non-organization IPs.
Check Azure DNS logs for suspicious domain resolutions.
Correlate Flow Logs with Activity Log in Microsoft Sentinel to map attacker activity.
Harden
Block non-organization IPs in VPC security groups or network ACLs.
Enable DNS query logging and monitor for anomalies.
Block non-organization IPs in NSGs or Azure Firewall.
Enable DNS query logging in Azure DNS and monitor for anomalies.
5. Remediate Compromised IAM Keys
Neutralize stolen credentials to halt threat actor access.
Action
AWS
Azure
Investigate
Identify IAM keys older than 60 days or used from non-organization IPs via CloudTrail.
Identify Entra ID credentials or service principals older than 60 days or used from non-organization IPs via Entra ID sign-in logs or Activity Log.
Harden
Rotate compromised keys using AWS SSM or CLI.
Transition IAM users to federated roles via AWS SSO to prevent recurrence.
Rotate compromised credentials (reset passwords, revoke app secrets) using Entra ID portal or PowerShell.
Transition to managed identities or federated roles via Entra ID to prevent recurrence.
Getting Help
If you spot any of these TTPs or indicators in your environment, or just want to become incident-ready in the cloud, contact our team. We’ll help you tighten your AWS defenses, refine your IR runbook, and stay ahead of Sea Turtle or other cloud-focused adversaries.
About Invictus Incident Response
We are an incident response company and we ❤️ the cloud and specialize in supporting organizations in preparing and responding to a cyber attack. We help our clients stay undefeated!
🆘 Incident Response support reach out to cert@invictus-ir.com or go to https://www.invictus-ir.com/24-7
