Cyber Threat Actor: Turksiberkarargh

The threat actor is knownby the aliases Turksiberkarargh, Turk Siber Karargah and Turkish Cyber Army. According to the provided context, its location is indicated as China, though this is noted as information that is known if available. The actor came to public attention through a website defacement targeting a Cambodian non‑governmental organization. On July 10, 2018 the group Adhoc reported that its site adhoccambodia.org was taken over and replaced with a message stating “Sorry, we’re doing some work on the site.”

The defacement effectively blocked visitors from accessing the organization’s published information, which the NGO described as an act of blocking information posted on its website. No explicit mention of financial gain, espionage objectives or malware usage appears in the source material describing this incident. Because the report does not detail any malicious code, exploit tools or initial access methods, no specific TTPs such as malware families or phishing vectors can be derived from the available evidence. The source does not attribute the actor to any state‑sponsored program or criminal consortium; the only linkage to China mentioned in the context concerns a separate espionage group (TEMP.Periscope) and not Turksiberkarargh.

The Adhoc incident is presented as a standalone operation, with no indication that it formed part of a larger campaign or series of attacks attributed to the same alias. The article notes that the defacement occurred around the same time that FireEye reported Chinese‑linked espionage activity by TEMP.Periscope against Cambodian governmental and political targets, but it does not connect the two events beyond temporal proximity. Consequently, the only publicly reported operation linked to Turksiberkarargh remains the defacement of the Adhoc website, which resulted in a temporary loss of online presence for the rights group. The defacement message itself was simple, consisting only of a generic maintenance notice that did not contain any political slogans, threats or demands commonly associated with hacktivist or financially motivated attacks. No further incidents, tools, or affiliations are described in the supplied sources, so the profile is limited to the facts presented above.