Sea Turtle (also tracked as Cosmic Wolf, Marbled Dust [Microsoft], Silicon, Teal Kurma [PwC / Hunt.io], UNC1326 [Mandiant], and MITRE ATT&CK G1041) is a Turkish-state-aligned cyber-espionage cluster active since at least early 2017, publicly disclosed and named by Cisco Talos in April 2019 in a report titled "DNS Hijacking Abuses Trust In Core Internet Service / Sea Turtle." The cluster is widely assessed by Cisco Talos, Microsoft, PwC Threat Intelligence, Hunt.io, Mandiant, and other vendor research teams to operate in alignment with Turkish state interests, most likely on behalf of the Turkish National Intelligence Organization (Millî Istihbarat Teşkilatı, MIT) or affiliated Turkish state entities. No formal US, UK, EU, or other government attribution has been issued.
the Turkish-state-aligned framing should be treated as suspected rather than formally confirmed. Sea Turtle is one of the most operationally distinctive clusters in the publicly-tracked APT landscape because its signature tradecraft, large-scale compromise of DNS registrars, DNS registries, and DNS-providing organizations to redirect victim DNS records to attacker-controlled infrastructure, represents a novel and consequential attack on the trust model of the global DNS system. The cluster's April 2019 disclosure by Cisco Talos documented 40+ confirmed victim organizations across 13 countries, including national government ministries (foreign affairs, defense, intelligence) in Greece, Cyprus, Albania, Armenia, and Iraqi Kurdistan.
telecommunications providers and ISPs in the same regions.
ICT and ICT-services vendors.
ccTLD registry operations (including activity adjacent to Sweden's .se ccTLD); and US-based research and academic institutions. The disclosure was widely credited as a turning point in DNS-infrastructure- security awareness and triggered substantial follow-on response including CISA Emergency Directive 19-01 (issued in January 2019, preceding Talos's full public disclosure), ICANN Security and Stability Advisory Committee analysis, and broad industry hardening of DNS-management account security. Operationally the DNS-hijacking tradecraft proceeds in approximate pattern: (1) credential phishing or supply-chain compromise against DNS-registrar, DNS-registry, or DNS-providing-organization personnel.
(2) authentication into DNS-management portals using stolen credentials.
(3) modification of victim DNS records to point to attacker-controlled IP addresses.
(4) issuance of attacker-controlled TLS certificates for the victim's domains using Let's Encrypt or other ACME-based certificate authorities that validate via DNS-challenge or HTTP-challenge against the now- attacker-controlled infrastructure.
(5) terminate inbound TLS at attacker infrastructure, harvest credentials from the victim's users, and selectively pass through or proxy traffic to the legitimate victim infrastructure to maintain plausibility. The tradecraft requires no exploitation of the victim's own network perimeter and provides credential-and-content collection against the victim's entire user base, a substantially higher-leverage compromise than a perimeter intrusion. Beyond the DNS-hijacking signature the cluster operates more conventional tradecraft including credential-phishing kits targeting Google, Microsoft, and Apple accounts, exploitation of public-facing vulnerabilities in Cisco network equipment (CVE-2017-3881, CVE-2017-6736), and use of conventional tooling including Mimikatz, Cobalt Strike, modified OpenSSH clients, Python loaders, and the SnappyTCP Linux ELF backdoor disclosed by PwC / Hunt.io in 2023 under the Teal Kurma naming. A handful of operational notes: First, the cluster is operationally distinct from earlier DNS-hijacking-focused activity attributed to "DNSpionage" (Cisco Talos's earlier tracking of a related-but-separate Iranian-aligned DNS-targeting cluster, sometimes confused with Sea Turtle in early reporting). DNSpionage is widely treated as separate. Second, the cluster's targeting of Iranian-opposition entities abroad, alongside Turkish geopolitical interest in countering Iranian regional influence, has occasionally caused confusion with Iranian-state-aligned activity. Sea Turtle's toolkit and tradecraft remain distinctively cluster-specific. Third, the Turkish-state-aligned attribution, though widely accepted across vendor research, rests on victimology and operational analysis rather than on formal state attribution. Treat the MIT-tasking framing as suspected. Fourth, the cluster's continued operations despite high-visibility April 2019 disclosure, the CISA emergency directive, and substantial industry response, documented in the July 2019 Talos follow-up and in continued PwC / Hunt.io / Microsoft tracking through 2024, illustrate the operational discipline and sustained state-tasking-driven motivation of the cluster.