February 4, 2020 | Policy Brief

Turkey’s Pro-Government Hackers Grow Bolder

February 4, 2020 | Policy Brief

Turkey’s Pro-Government Hackers Grow Bolder

British and American officials have attributed a sweeping cyber-espionage campaign to hackers aligned with the Turkish government. The discovery of Ankara’s brazen cyber offensive, whose main targets included government agencies of EU member states Greece and Cyprus, reinforces Turkey’s disconcerting pattern of using cyber espionage and crime against U.S. allies.

Over the past two years, hackers aligned with the interests of the Turkish government reportedly have hacked the Greek and Cypriot governments’ email services as well as that of Iraq’s national security advisor. Though the hackers focused mainly on countries with whom Ankara has ongoing disputes, they also targeted domestic organizations the Turkish government views as threatening, such as the Turkish chapter of the Freemasons.

The espionage campaign tampered with the Domain Name System (DNS) of the targeted networks, enabling hackers to redirect victims to imposter websites with fake log-in portals so that the hackers could capture passwords and other credentials. Hackers then used the stolen credentials to access the networks of foreign governments and other organizations. Turkey’s leading internet service provider, Turk Telekom, also became the target of a similar DNS-style attack last week, although it remains unclear whether this was part of the campaign or a tit-for-tat response from the victims.

The British and American officials who revealed the Turkish campaign to Reuters explained that the operation appears to be state-backed because of the nature of the targets, the network infrastructure used, and other intelligence information. A Reuters correspondent attributed the campaign to Sea Turtle, a hostile group or advanced persistent threat (APT) with a history of launching similar DNS-style campaigns.

The hacking also bears similarities to prior Turkish cyber operations. Earlier this month, Greek media reports claimed that Turkish hackers breached the official webpages of Greece’s foreign and finance ministries, parliament, National Intelligence Service, and the Athens Stock Exchange in response to Greece’s alleged threats against Turkey during their recent territorial disputes in the eastern Mediterranean. In 2016, a team of Turkish nationalist hackers known for focusing on EU countries attacked Austria’s National Bank, foreign and defense ministries, and Federal Army.

Turkish nationalist hackers also frequently target the websites and Twitter accounts of foreign media personalities and politicians, often as retribution for the foreign policies of their leaders. In 2018, hacker group Ayyildiz Tim hijacked and filled NBC reporter Peter Alexander’s Twitter account with pro-Erdogan, Turkish nationalist videos, images, and tweets. This followed a widespread attack on the accounts of conservative American media personalities, apparently targeted for their closeness to Trump. The same hackers took over the account of Israeli Ambassador Dore Gold, a former adviser to Prime Minister Benjamin Netanyahu, posting provocative messages in response to the U.S. recognition of Jerusalem as the capital of Israel. Previously, similar attacks targeted the websites of Israel’s Mossad and central bank as well as that of the U.S. Federal Reserve, cutting off user access to the sites for hours. Though these hackers technically function independently, they espouse a specific brand of antagonistic nationalism that mirrors Erdogan’s own.

Washington should view Ankara’s latest cyber campaigns as an extension of Turkey’s increasingly hostile foreign policy towards the United States and other allies. U.S. officials should expect more of the same type of attacks moving forward and must clearly communicate to their Turkish counterparts that support for or tolerance of these types of cyber operations will result in indictments, sanctions, and other comparable responses from Washington.

Brenna Knippen is a research associate focusing on Turkey at the Foundation for Defense of Democracies (FDD), where Trevor Logan is a cyber research analyst. They both contribute to FDD’s Center on Cyber and Technology Innovation (CCTI). For more analysis from Brenna, Trevor, and CCTI, please subscribe HERE. Follow Brenna and Trevor @brenna_knippen and @TrevorLoganFDD. Follow FDD on Twitter @FDD and @FDD_CCTI. FDD is a Washington, DC-based, nonpartisan research institute focusing on national security and foreign policy.


Cyber Cyber-Enabled Economic Warfare Israel Turkey