Marita La Palm is a graduate student at American University where she focuses on terrorism, countering violent extremism, homeland security policy, and cyber domain activities. She can be found on Twitter at maritalp. Divergent Options’ content does not contain information of an official nature nor does the content represent the official position of any government, any organization, or any group.
Title: Assessment of the Threat Posed by the Turkish Cyber Army
Date Originally Written: March 25, 2018.
Date Originally Published: April 9, 2018.
Summary: Turkish-sympathetic hacker group, the Turkish Cyber Army, has changed tactics from seizing and defacing websites to a Twitter phishing campaign that has come remarkably close to the President of the United States.
Text: The Turkish Cyber Army (Ay Yildiz Tim) attempted to compromise U.S. President Donald Trump’s Twitter account in January of 2018 as part of a systematic cyber attack accompanying the Turkish invasion of Syria. They were not successful, but they did seize control of various well-known accounts and the operation is still in progress two months later.
Although the Turkish Cyber Army claims to date back to a 2002 foundation in New Zealand, it first appears in hacking annals on October 2, 2006. Since then, the group has taken over vulnerable websites in Kenya, the European Union, and the United States[1]. As of the summer of 2017, the Turikish Cyber Army changed tactics to focus on Twitter phishing, where they used the compromised Twitter account of a trustworthy source to bait a target to surrender log-in credentials[2]. They do this by sending a direct message from a familiar account they control telling the desired victim to click on a link and enter their log-in information to a page that looks like Twitter but actually records their username and password. Upon accessing the victim’s account, the hackers rapidly make pro-Turkish posts, download the message history, and send new phishing attacks through the new account, all within a few hours. The Turkish Cyber Army claim to have downloaded the targets’ messages, apparently both for intelligence purposes and to embarrass the target by publicly releasing the messages[3]. Oddly enough, the group has yet to release the private messages they acquired in spite of their threats to do so. The group is notable both for their beginner-level sophistication when compared to state hackers such as Fancy Bear and the way they broadcast every hack they make.
The first documented victim of the 2018 operation was Syed Akbaruddin, Indian Permanent Representative to the United Nations. Before the attack on Akbaruddin, the hackers likely targeted Kurdish accounts in a similar manner[4]. Since these initial attacks, the Turkish Cyber Army moved steadily closer to accounts followed by President Trump and even managed to direct message him on Twitter[5]. In January 2018, they phished multiple well-known Western public figures such as television personality Greta van Susteren and the head of the World Economic Forum, Børge Brende. It so happened that Greta and Eric Bolling, another victim, are two of the only 45 accounts followed by President Trump. From Eric and Greta’s accounts, the hackers were able to send messages to Trump. Two months later, the Turkish Cyber Army continued on Twitter, but now primarily with a focus on Indian accounts. The group took over Air India’s Twitter account on March 15, 2018. However, the aftereffects of their Western efforts can still be seen: on March 23, 2018 the Chief Content Officer of Time, Inc. and the President of Fortune, Alan Murray tweeted, “I was locked out of Twitter for a month after being hacked by the Turkish cyber army…” Meanwhile, the Turkish Cyber Army has a large and loud Twitter presence with very little regulation considering they operate as an openly criminal organization on the platform.
President Trump’s personal Twitter account was also a target for the Turkish Cyber Army. This is not a secret account known only to a few. President Trump’s account name is public, and his password is all that is needed to post unless he has set up two-factor authentication. Trump uses his account to express his personal opinions, and since some of his tweets have had high shock value, a fake message intended to disrupt might go unquestioned. It is fair to assume that multiple groups have gone at President Trump’s account with a password cracker without stopping since inauguration. It is only a matter of time before a foreign intelligence service or other interested party manages to access President Trump’s direct messages, make provocative statements from his account that could threaten the financial sector or national security, and from there go on to access more sensitive information. While the Turkish Cyber Army blasts their intrusion from the compromised accounts, more sophisticated hacking teams would be in and out without a word and might have already done so. The most dangerous hackers would maintain that access for the day it is useful and unexpected.
While nothing immediately indicates that this group is a Turkish government organization, they are either supporters of the current government or work for it. Both reporter Joseph Cox and the McAfee report claimed the group used Turkish code[6]. Almost a hundred actual or bot accounts have some identifier of the Turkish Cyber Army, none of which appear to be censored by Twitter. Of particular interest in the group’s history are the attacks on Turkish political party Cumhuriyet Halk Partisi’s (CHP) deputy Eren Erdem’ın, alleging his connections with Fethullah Gulen and the 2006 and possible 2017 attempts to phish Kurdish activists[7]. The Turkish Cyber Army’s current operations occurred on the eve of massive Turkish political risk, as the events in Syria could have ended Turkish President Recep Tayyip Erdogan’s career had they gone poorly. Not only did Turkey invade Syria in order to attack trained troops of its North Atlantic Treaty Organization (NATO) ally, the United States, but Turkish representatives had been banned from campaigning in parts of the European Union, and Turkish banks might face a multi-billion dollar fine thanks to the Reza Zarrab case[8]. Meanwhile, both Islamist and Kurdish insurgents appeared emboldened within the country[9]. Turkey had everything to lose, and a cyberattack, albeit not that sophisticated but conducted against high value targets, was a possibility while the United States appeared undecided as to whom to back — its proxy force or its NATO ally. In the end, the United States has made efforts to reconcile diplomatically with Turkey since January, and Turkey has saved face.
Endnotes:
[1] Ayyildiz Tim. (n.d.). Retrieved January 24, 2018, from https://ayyildiz.org/; Turks ‘cyber-leger’ kaapt Nederlandse websites . (2006, October 2). Retrieved January 24, 2018, from https://www.nrc.nl/nieuws/2006/10/02/turks-cyber-leger-kaapt-nederlandse-websites-11203640-a1180482; Terry, N. (2013, August 12). Asbury park’s website taken over by hackers. McClatchy – Tribune Business News; Ministry of transport website hacked. (2014, March 5). AllAfrica.Com.
[2] Turkish hackers target Sevan Nishanyan’s Twitter account. (2017, July 28). Armenpress News Agency.
[3] Beek, C., & Samani, R. (2018, January 24). Twitter Accounts of US Media Under Attack by Large Campaign. Retrieved January 24, 2018, from https://securingtomorrow.mcafee.com/mcafee-labs/twitter-accounts-of-us-media-under-attack-by-large-campaign/.
[4] #EfrinNotAlone. (2018, January 17). “News that people @realDonaldTrump followers have been hacked by Turkish cyber army. TCA made an appearance a few days ago sending virus/clickey links to foreigners and my Kurdish/friends. The journalist who have had their accounts hacked in US have clicked the link.” [Tweet]. https://twitter.com/la_Caki__/status/953572575602462720.
[5] Herreria, C. (2018, January 17). Hackers DM’d Donald Trump With Former Fox News Hosts’ Twitter Accounts. Retrieved March 25, 2018, from https://www.huffingtonpost.com/entry/eric-bolling-greta-van-susteren-twitter-hacked_us_5a5eb17de4b096ecfca88729
[6] Beek, C., & Samani, R. (2018, January 24). Twitter Accounts of US Media Under Attack by Large Campaign. Retrieved January 24, 2018, from https://securingtomorrow.mcafee.com/mcafee-labs/twitter-accounts-of-us-media-under-attack-by-large-campaign/; Joseph Cox. (2018, January 23). “Interestingly, the code of the phishing page is in… Turkish. “Hesabın var mı?”, or “Do you have an account?”.” [Tweet]. https://twitter.com/josephfcox/status/955861462190383104.
[7] Ayyıldız Tim FETÖnün CHP bağlantısını deşifre etti. (2016, August 27). Retrieved January 24, 2018, from http://www.ensonhaber.com/ayyildiz-tim-fetonun-chp-baglantisini-desifre-etti-2016-08-28.html; Turks ‘cyber-leger’ kaapt Nederlandse websites . (2006, October 2). Retrieved January 24, 2018, from https://www.nrc.nl/nieuws/2006/10/02/turks-cyber-leger-kaapt-nederlandse-websites-11203640-a1180482.
[8] Turkey-backed FSA entered Afrin, Turkey shelling targets. (2018, January 21). BBC Monitoring Newsfile; Turkey blasts Germany, Netherlands for campaign bans. (2017, March 5). BBC Monitoring European; Zaman, A. (2017, December 07). Turkey probes US prosecutor in Zarrab trial twist. Retrieved January 24, 2018, from https://www.al-monitor.com/pulse/originals/2017/11/turkey-probes-reza-zarrab-investigators.html.
[9] Moore, J. (2017, December 28). Hundreds of ISIS fighters are hiding in Turkey, increasing fears of attacks in Europe. Retrieved January 24, 2018, from http://www.newsweek.com/hundreds-isis-fighters-are-hiding-turkey-increasing-fears-europe-attacks-759877; Mandıracı, B. (2017, July 20). Turkey’s PKK Conflict Kills almost 3,000 in Two Years. Retrieved January 24, 2018, from https://www.crisisgroup.org/europe-central-asia/western-europemediterranean/turkey/turkeys-pkk-conflict-kills-almost-3000-two-years.