Cyber Incident Victim: Turkish chapter of the Freemasons
Date:
Jan 2018
Location:
Turkey
Summary
Cyberattacks attributed to state-aligned actors advancing Turkish interests employed DNS hijacking to compromise government and organizational networks across Europe and the Middle East. Targets included multiple governments' email systems, security services, and entities like the Turkish Freemasons chapter, with attackers redirecting traffic to impersonation sites to harvest credentials. While victims such as Cypriot and Iraqi agencies confirmed containment efforts or non-classified system impacts, the Freemasons organization denied successful breaches or data exfiltration, rejecting alleged ties to cleric Fethullah Gulen. Western intelligence assessments linked the campaign's infrastructure, victim profiles, and tradecraft to coordinated espionage activity.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 2 techniques |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
Between late 2018 and early 2020, a series of cyberattacks targeting at least 30 organizations across Europe and the Middle East were attributed by Western security officials to hackers advancing Turkish geopolitical interests. The campaign employed DNS hijacking techniques to redirect victims' web traffic to attacker-controlled servers, enabling credential theft from government email services, cloud storage platforms, and security agency portals. Primary victims included the Cypriot and Greek government email systems, Iraq's National Security Advisor, Albanian state intelligence, and civilian entities such as the Great Liberal Lodge of Turkey (a Freemasons chapter). Attackers compromised DNS records to intercept login attempts, potentially exposing hundreds of credentials from Albanian intelligence personnel and other targets. Public internet records indicated the attacks began no later than early 2018, with ongoing activity reported through January 2020.
The Cypriot government confirmed containment measures were implemented immediately after detecting the attacks, while Albanian officials clarified only non-classified infrastructure was breached. The Great Liberal Lodge of Turkey disputed claims of successful data exfiltration, asserting robust security precautions prevented actual compromise. Turkish authorities declined direct comment but emphasized Turkey's own vulnerability to cyber operations. Western intelligence assessments linked the campaign to Turkish interests based on victim profiles (countries with geopolitical significance to Turkey), infrastructure similarities to prior Turkey-associated attacks, and classified intelligence corroboration. Technical analysis by firms like Team Cymru revealed attackers breached organizations controlling top-level internet domains, expanding the attack surface. No group claimed responsibility, and investigators found no connection to a separate 2018 DNS hijacking campaign. Impact assessments noted operational disruption to diplomatic communications and heightened concerns about fundamental internet infrastructure vulnerabilities.