Researchers at Cisco’s Talos security division on Wednesday revealed that a hacker group carried out a broad campaign of espionage via DNS hijacking, hitting 40 different, mainly governmental, organisations in countries of the Middle East and North Africa, including Cyprus.
The group, named “Sea Turtle” is believed to have compromised multiple country-code top-level domains—the suffixes like .gov.cy or .co.uk that end a foreign web address—putting all the traffic of every domain in multiple countries at risk.
The hackers’ victims include telecoms, internet service providers, and domain registrars responsible for implementing the domain name system.
But the majority of the victims and the ultimate targets, Cisco believes, were a collection of mostly governmental organisations, including ministries of foreign affairs, intelligence agencies, military targets, and energy-related groups, all based in the Middle East and North Africa.
Cisco Talos said it couldn’t determine the nationality of the Sea Turtle hackers, and declined to name the specific targets of their spying operations.
However, it did provide a list of the countries where victims were located: Cyprus, Albania, Armenia, Egypt, Iraq, Jordan, Lebanon, Libya, Syria, Turkey, and the United Arab Emirates.
Cisco Talos said that the group could have been backed by a nation-state.
What is DNS hijacking?
According to Wired, DNS hijacking targets the Domain Name System, the pillar of internet architecture that translates the domain name you type into your browser, such as “google.com,” into the IP address that represents the actual computer where that service is hosted, such as “18.104.22.168.”
Corrupt that system, and hackers can redirect that domain to any IP address they choose.
How could have the hacking affected users?
“When you’re on your computer and visit your bank, you assume DNS servers will tell you the truth,” Cisco Talos researcher Craig Williams told Wired. “Unfortunately what we’re seeing is that, from a regional perspective, someone has broken that trust. You go to a website and it turns out you don’t have any guarantee of who you’re talking to.”
Once the Sea Turtle hackers gained full access to a DNS provider, their spying operations followed a predictable pattern, according to Cisco’s researchers.
The hackers would change the target organisation’s domain registration to point to their own DNS servers—the computers that perform the DNS translation of domains into IP addresses—instead of the victim’s legitimate ones. When users then attempted to reach the victim’s network, whether through web, email, or other internet communications, those malicious DNS servers would redirect the traffic to a different man-in-the-middle server that intercepted and spied on all the communications before passing them on to their intended destination.
The hackers would harvest usernames and passwords from the intercepted traffic. Using those stolen credentials and their hacking tools, the attackers could in some cases penetrate deeper into the target network.
To avoid detection, the hackers dismantled their set-up after no more than a couple of days—but only after they’d intercepted vast troves of the target organisation’s data, and the keys to enter its network at will.
Defending Against Sea Turtle
Cisco Talos has a few recommendations to help organisations minimize the risk of being a victim of a DNS hijacking attack.
- Use a Registry Lock Service – With registry lock, changes can only be made after an additional message and request for authorization is made.
- Secure Access with MFA – Domain access should be secured with more than just a username and a password. Multi-factor authentication (MFA) requires the use of a secondary password or token to gain access.
Williams commented that the use of DNSSEC, may help with this issue but the attackers have shown their ability to work around defensive strategies so it’s impossible to say for certain. DNSSEC (DNS security extensions) provide an additional degree of cryptographic assurance to domain name information.
“Patching, Defense in depth, and user education are key,” Williams said.
Read the full WIRED article here.