Hackers acting for Turkey said to be behind recent cyberattacks


Sweeping cyberattacks targeting governments and organisations in Europe and the Middle East are believed to be the work of hackers acting in the interests of the Turkish government, senior Western security officials said.

The hackers attacked at least 30 organisations, including government ministries, embassies and security services as well as companies and other groups, according to a Reuters review of public internet records. Victims include Cypriot and Greek government email services and the Iraqi government’s national security advisor, records show.

The attacks intercept internet traffic to victim websites, potentially enabling hackers to obtain illicit access to the networks of government bodies and other organisations.

According to two British officials and a US official, the activity bears the hallmarks of a state-backed cyber espionage operation to advance Turkish interests.

Their conclusion is based on three elements: identities and locations of victims, which included governments of countries geopolitically significant to Turkey; similarities to previous attacks used infrastructure registered from Turkey; and information contained in confidential intelligence assessments.

The officials said it wasn’t clear which individuals or organisations were responsible but they believed the attacks were linked because they used the same servers and other infrastructure.

Turkey’s Interior Ministry declined to comment. A senior Turkish official did not respond directly to questions about the campaign but said Turkey was itself frequently a victim of cyberattacks.

The Cypriot government said in a statement “relevant agencies were immediately aware of the attacks and moved to contain” them. “We will not comment on specifics for reasons of national security,” it added.

Officials in Athens had no evidence the Greek government email system was compromised. The Iraqi government did not respond to requests for comment.

The Cypriot, Greek and Iraqi attacks identified by Reuters occurred in late 2018 or early 2019, according to public internet records. A broader series of attacks is ongoing, according to officials and private cybersecurity investigators.

A spokeswoman for the UK’s National Cyber Security Centre, part of the GCHQ signals intelligence agency, declined to comment on the attacks. In the United States, the Office of the Director of National Intelligence declined to comment as well and the FBI did not respond to a request for comment.


The attacks highlight a weakness in a core pillar of online infrastructure that can leave victims exposed to attacks outside their own networks, making them difficult to detect and defend against, cybersecurity specialists said.

The hackers used a technique known as DNS hijacking, according to Western officials and private cybersecurity experts. This involves tampering with the effective address book of the internet, called the Domain Name System (DNS), which enables computers to match website addresses with the correct server.

By reconfiguring parts of this system, hackers are able to redirect visitors to imposter websites, such as a fake email service and capture passwords and other text there.

Reuters reviewed public DNS records, which showed when website traffic was redirected to servers identified by private cybersecurity firms as being controlled by the hackers. All victims identified by Reuters had traffic to their websites hijacked – often traffic visiting login portals for email services, cloud storage servers and online networks — according to the records and cybersecurity experts who studied the attacks.

The attacks have occurred since at least early 2018, records show.

While small-scale DNS attacks are relatively common, the scale of these attacks alarmed Western intelligence agencies, said the officials and other US intelligence officials. They believed the attacks were unrelated to a campaign using a similar attack method uncovered in late 2018.

As part of the attacks, hackers breach organisations controlling top-level domains, the suffixes at the end of web addresses immediately after the dot symbol, said James Shank, a researcher at US cybersecurity firm Team Cymru, which notified some victims.

Victims included Albanian state intelligence, according to public internet records. Albanian state intelligence had usernames and passwords compromised as a result of the attacks, according to one private cybersecurity investigator, familiar with intercepted web traffic.

The Albanian State Information Service said the attacks were on non-classified infrastructure, which does not store or process any “any information classified as ‘state secret’ of any level.”

Civilian organisations in Turkey were also attacked, records show, including a Turkish chapter of the Freemasons, which conservative Turkish media said is linked to US-based Muslim cleric Fethullah Gulen accused by Ankara of masterminding a failed coup attempt in 2016.

The Great Liberal Lodge of Turkey said there were no records of cyberattacks against hijacked domains identified by Reuters and there was “no data exfiltration.”

“Thanks to precautions, attacks against the sites are not possible,” a spokesman said, adding the cleric has no affiliation with the organisation.

The cleric publicly denied masterminding the attempted coup, saying “it’s not possible,” and said he is against coups.

A spokesman for Gulen said Gulen was not involved in the coup attempt and repeatedly condemned it and its perpetrators. Gulen has never been associated with the Freemason organisation, the spokesman added.