News broke overnight on how the state-backed “Sea Turtle” hacker group is hijacking government domains for entire countries.
Cyberspies Hijacked the Internet Domains of Entire Countries – A mysterious new group called Sea Turtle targeted 40 organizations https://t.co/BGbbPBmLkP via @WIRED #cybersecurity #cyberattacks #hacking #hackers
— Alex von Witzleben (@AlexWitzleben) April 18, 2019
In brief, the hackers would change the target organization’s domain registration to point to their own DNS servers—the computers that perform the DNS translation of domains into IP addresses—instead of the victim’s legitimate ones. This sort of man-in-the-middle attack should be prevented by SSL certificates, but the hackers simply used spoofed certificates from Let’s Encrypt or Comodo, invalid on close inspection but still able to trick users with signs of legitimacy.
Martin Thorpe, Enterprise Security Architect at Venafi:
“This campaign of attacks is highly likely to have serious consequences. The impact of hijacking of the top-level domains – and the encrypted communication streams – for entire countries, including close UK and US allies such as Egypt, Turkey, Jordan and the UAE, is hard to overstate. We don’t know which communications have been intercepted, but it’s not hard to imagine the range of extremely sensitive political, military and commercial topics that could have been intercepted.
“Crucially, Sea Turtle’s attacks were aimed at the bedrock infrastructure of the internet. Targeting the top-level domains and DNS servers provides a clean – and hard to detect – end run around even the most sophisticated end-point protection, anti-virus, intrusion detection and advanced persistent threat defences. Sea Turtle went straight to attacking the machine identities that underpin all of the traditional cyber defence technologies. The attackers then carefully used Let’s Encrypt to issue forged certificates, successfully impersonating their targets.
“This attack shines a very bright spotlight on how we secure DNS servers and other core infrastructure. It also directly draws attention to how we secure and protect machine identities. Active monitoring of DNS and public certificates, similarly to how Venafi TrustNet operates, is now proven to be critical to enterprise and even governmental cyber defence.
“It is also important to note that this is not an isolated case. In the past few years we’ve seen an increasing number of incidents involving certificate authorities (CAs), which have resulted in compromised websites and companies.
“Earlier this year we released findings of the first ever academic study into the marketplace for legitimate TLS/SSL certificates on the dark web – machine identities which have an even greater level of trust – showing that hackers are now moving upstream to even higher value targets. The study, undertaken by The Center for Evidence-Based Cybersecurity at the Andrews School of Policy Studies at the University of Georgia and the University of Surrey, found a thriving marketplace for TLS certificates, with prices ranging up to $1,600.
“It is vital that the industry wakes up to this problem or we are likely to see even more attacks of this kind with increasing regularity and severity.”
Corin Imai, Senior Security Advisor at DomainTools:
“DNS hijacking is a particularly dangerous attack technique due to the wide variety of malicious activity that it can facilitate. Whether the redirected traffic is used for phishing purposes, or in order to provide targeted advertisements to people using specific websites, it can be a powerful tool. The fact that these websites are associated with government and infrastructure targets, it is likely that the aim of this hijacking campaign is espionage. What’s more, this is not the first time “Sea Turtle” has been caught, and as they continue to successfully “break the trust model of the internet”.”