Since mid-March, Turk Hack Team have been participating in a new campaign called “Netherlands Operation”, announced via their official Twitter feed. This account also published claims of 252 Dutch-based websites defacement, alongside alleged screenshots of the defaced websites.
Figure 1 Image tweeted from the Twitter account associated with Turk Hack Team: https://twitter.com/Official_THT/status/840958879085256705 Translation: Turk Hack Team presents…Netherlands Operation. All Turk Hack Team members are invited…
Turk Hack Team have previously targeted websites and groups whom they judge to have disrespected or otherwise slighted the state of Turkey since 2013. The group consists of a group of patriotic hackers who most often engage in website defacement. The majority of the group’s activity is in the Turkish language, and previous attacks indicate a strong bias towards supporting the Turkish state and Turkey’s controversial president Recep Tayyip Erdoğan. Most notably, the group claimed credit for a distributed denial of service (DDoS) attack against the US Library of Congress in July 2016 motivated by a perception that the US government had a role to play in the instigation of an attempted coup.
Since the announcement of the campaign, Digital Shadows have detected indications that at least 2,700 websites had been defaced with messages from the group including the terms “TurkHackTeam Netherlands operation” (see Figure 2, for examples of search engine listings showing defacement messages on several websites). Most of the affected websites used the Dutch and German top level domain. In addition to the website defacements, Digital Shadows also found claims of data dumps for other Dutch websites, including healthcare and government entities, among others. A dedicated forum for the group also contained posts related to the campaign.
Figure 2 Examples of defacement messages
Turk Hack Team is not the only group actively targeting Dutch-based entities. On March 13, 2017, several Dutch and English-language media outlets reported that “hundreds” of websites had been defaced by the threat group “PrivateHackers”. In these instances, the actors reportedly compromised two servers owned by Netherlands-based hosting company Versio, allowing defacement messages to be placed on websites hosted on those servers. It remains unknown, however, how Turk Hack Team was able to gain access to the over 2,700 Dutch websites.
Ongoing Geopolitics between Turkey and the Netherlands
Many of the defacements made by Turk Hack Team carry nationalist messages and criticize the Netherlands for recent political actions affecting Turkish ministers. As highlighted in the timeline below, tensions have risen between the two countries over the last three months, but the source of the issue can be traced back to the failed Turkish coup attempt in July 2016.
Following the coup attempt, Turkish President Recep Tayyip Erdogan pushed for an expansion of his executive powers. On January 9, 2017, the Turkish parliament passed a bill calling for a constitutional referendum to be voted on by the public to give the president these expanded powers. Since then, support for a ‘yes’ vote has been spread across Turkey via the Erdogan government. Erdogan’s efforts have expanded beyond Turkey’s borders and he has attempted to garner favor with Turkish expatriates in Europe. Citing security reasons, officials in Germany blocked Turkish ministers from entering several German towns between February 27 and March 3, 2017. On March 11, a Turkish minister was blocked from entering Rotterdam in the Netherlands. Both incidents prompted responses from Erdogan, who claimed Germany was using “Nazi practices” and threatened that the Netherlands would “pay the price” for blocking the minster. These events have apparently catalyzed the hacktivist response amongst patriotic groups (see Figure 3 for a timeline of significant events).
Figure 3 Timeline of geopolitical escalation and hacktivist activities in 2017
Referendum vote approaches
Some of the Turkish attacks have coincided with the Dutch election which took place on March 15. We have also seen evidence of retaliation from Dutch-based actors in the form of an attempted doxing of the Turkish actors responsible for the Versio defacements mentioned above, although nothing on the scale of the activity from the Turkish actors has been observed. As the referendum vote scheduled for April 16 approaches, we anticipate further activity from Turk Hack Team as well as other pro-Turkey threat actors.