Why Turkey, a NATO ally, is a huge target for malware

Istanbul (Getty Images)


Written by

Turkey’s internet infrastructure — which is relatively modern but alarmingly insecure — is teeming with malware, according to a recent intelligence report by private cybersecurity firm FireEye.

The U.S. company’s FireEye Email and Network protection services found that more “targeted malware” detections occurred in Turkey than in all of Europe combined in 2016. Intrusions in that category share characteristics with activity by known, advanced and likely nation-state-backed hackers, a FireEye spokesperson explained.

The sheer volume of complex cyberattacks aimed at Turkish targets is driven by several tangentially connected factors, security and foreign policy experts tell CyberScoop, including obsolete systems, desperate geopolitical conditions, government cronyism and generally poor IT management. Turkey, a NATO member, straddles the Middle East and Europe.

“The Middle East has some of the highest number of malware infections worldwide often due to outdated operating systems,” said former NSA analyst Blake Darche. “Geographically based at the entrance to the Middle East, it’s not surprising to see Turkey as a major target of attacks. Countries throughout the G-20 and beyond are extremely interested in Turkey’s handling of the refugee crisis. And this directly translates into targeted attacks from G-20 nations.”

Over the last several years, Turkish companies and government officials have repeatedly become the victims of both cybercrime and cyber-espionage. 

Two years ago, Anonymous claimed to have stolen emails and other communications belonging to staffers of Prime Minister Tayyip Erdogan.

“The geopolitical situation in and surrounding Turkey has attracted a number of the bigger cyber-espionage, APT groups,” said John Hultquist, iSight’s director of espionage analysis. “What we’re seeing is some of the most advanced hacking groups lurking on Turkish networks, and it’s largely because of Syria … [Turkish] political groups, financial institutions, civil society, it’s all being targeted.”

In October, the country’s first initial public offering in nearly six months was derailed by a data breach.

Six months prior, an unnamed hacker posted a 1.4 gigabyte file to the web that contained what appeared to be the personal data of roughly 50 million Turkish citizens. The massive data leak included citizens’ names, addresses, parents’ first names, cities of birth, birth dates and national identification numbers, which are assigned by the Turkish government.

“We’re seeing a bit of everything from phishing emails to disinformation campaigns happening right now [in Turkey],” added Hultquist. “Some of it is simply driven by ISIS, by Syria and the refugee situation … There’s really no understating the amount of resources being driven into that conflict.”

Neighborhood troubles

Turkey’s contentious relationship with two of its most powerful neighbors, Iran and Russia, contributes significantly to the prominence of targeted, complex cyberattacks, said Cenk Sidar, CEO of Sidar Global Advisors, a global research, political and business consulting firm.

“I think it’s no coincidence what’s happening in Turkey when you consider the cyber capabilities that Russia and Iran have and are investing in,” said Sidar, a Turkish national whose firm advises Fortune 100 companies, hedge funds and private equities in overseas operations and investments.

“You’ve seen what they are possible of with the U.S. election,” Sidar said with a brief chuckle, “you think that sort of thing isn’t happening in Turkey, even right now while relations with Russia are better?”

Malware is generally just one indicator of regional data breaches and is typically the end of an attack chain, meaning that it doesn’t reflect attacks or other digital intrusions that were blocked further up the chain, explained Orla Cox, a senior manager of security intelligence at Symantec. It remains possible that FireEye’s data for Turkey may be somewhat skewed due to the firm’s customer base.

According to Symantec’s latest Internet Security Threat Report, Turkey accounted for 3.4 percent of all malware detections across a combination of Europe, the Middle East and Africa in 2016.

Higher connectivity, lower security

Nick Rossman, a FireEye Senior Manager for Intelligence Production, said that while geopolitical tensions may be one of the leading factors for why Turkey is so heavily targeted by hackers, there are other causes.

Turkey’s comparatively superior communications systems and a widespread underinvestment in digital security writ large are also to blame, he explained.

“Turkey has one of the better internet infrastructures in the Middle East, and so we have seen hackers route traffic out of there before,” Rossman said during a phone interview. “Connectivity matters and Turkey is home to several financial institutions that also service the Middle East, Russia and Iran … really there’s widespread penetration in these areas.”

Hackers are finding success against Turkish internet systems because of decisions made by the country’s ruling political class, said Turkish journalist Efe Kerem Sözeri.

“The real problem [I think] is mismanagement — obvious from the .tr DNS — and the lack of investment [in cybersecurity]. Both of these weaknesses are still making Turkey an easy target,” said Sözeri, “[and] behind the mismanagement and poor infrastructure is the government control. While other sectors of business, such as construction, are relatively open and smaller businesses are competitive, the media and communications sector is under the tight control of the government party.”

Turkey’s official domain name servers came under a massive distributed denial of service attack in December 2015, which caused widespread disruption to the country’s internet. Throughout Turkey, domain names that end with country’s unique two-letter country code .tr must be registered by an administrative office in Ankara, known as the NIC.tr. The NIC.tr maintains and services a large number of .tr domains.

Because so much of Turkey’s internet is centralized in this fashion, cyberattacks on the NIC.tr can consequently affect millions of Turkish citizens, services and businesses.

“Personal security seems [just] as weak as nationwide infrastructure,” described Sözeri, “From the Energy Minister Berat Albayrak’s email leak, we also know that the key people in the government, including officials and Erdogan family, is not taking the necessary precautions, using Gmail for communication, no encryption for critical information etc.”

In recent weeks, there have been multiple reports of advanced hacking operations and misinformation campaigns aimed at NATO countries. Some of these hacking and cyber-espionage campaigns have been linked by private cybersecurity firms back to APT28— better known as the group responsible for breaching the Democratic National Committee, according to reports authored by the U.S. intelligence community.

“The truth is we’ve always had a delicate relationship with Russia, it’s been going on for 200 or 300 years,” Sidar summarized. “Their interests, their influence, that will continue in Turkey … some of what’s happening in cyber is just that.”

-In this Story-

foreign policy, hacking, information operations, international relations, Iran, NATO, Russia, Turkey