Cyber Incident Victim: MurenShark
Date:
Aug 2022
Location:
Turkey
Summary
A newly identified APT group, MurenShark, conducted cyber espionage operations targeting Turkey's indigenous submarine management system project. The attackers primarily focused on personnel associated with the project, including Naval Forces Command and TÜBİTAK staff, deploying phishing campaigns with malicious documents disguised as originating from these institutions. Compromised files contained malware such as AgentTesla, while the group leveraged a Cypriot university's website as a long-term command-and-control server. Security analysts assessed the threat actor possessed advanced capabilities to obfuscate their origins and operational footprint. While definitive success of the intrusion remains unconfirmed, evidence suggested potential system compromises based on stolen document content and infrastructure control.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 3 techniques |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
In early August 2022, a newly identified advanced persistent threat (APT) group designated MurenShark conducted cyber espionage operations targeting Turkey’s MÜREN submarine combat management system project. The attacks focused on the Turkish Naval Forces Command (DKK) and the Scientific and Technological Research Council of Turkey (TÜBİTAK), along with universities, research institutes, and other military-affiliated entities associated with defense projects. According to a report by Chinese cybersecurity firm NSFocus, the threat actors employed phishing campaigns using two compromised documents—one stolen from TÜBİTAK and another from DKK—as malicious attachments. These documents contained malware designed to infiltrate systems, with evidence suggesting MurenShark successfully compromised some targets based on the fabricated content’s sophistication. The group operationalized infrastructure by compromising the official website of Cyprus’s Near East University, using it as a remote command-and-control server for over a year prior to the incident.
MurenShark demonstrated advanced tradecraft by obfuscating their origins and infrastructure, preventing attribution of their geographic or organizational identity. Cybersecurity analyst Ersin Çahmutoğlu assessed the group possessed significant technical capabilities, leveraging customized tools and evasion techniques to erase forensic traces. While the report confirmed the targeting of MÜREN project personnel—including TÜBİTAK designers and Naval Forces project reviewers—it did not verify whether sensitive data was exfiltrated. TÜBİTAK had previously endured multiple cyber intrusions, with this campaign employing compressed malicious attachments and exploit documents mimicking legitimate correspondence to deliver payloads like the AgentTesla information-stealing trojan. The operation highlighted persistent threats to Turkey’s defense research ecosystem, particularly through compromised institutional channels enabling initial access.