State-sponsored hackers in DNS hijacking campaign targeting government networks - Cisco Talos

Espionage campaign has compromised the websites of more than 40 organisations over the past two years

Researchers at Cisco's Talos security group have released a report detailing what it claims is a state-sponsored espionage campaign that has compromised the websites of more than 40 organisations over the past two years by hijacking DNS servers.

The primary targets of these espionage operations, called Sea Turtle by the researchers, include intelligence agencies, telecoms operators and internet giants, primarily based in the Middle East and North Africa.

"The on-going operation likely began as early as January 2017 and has continued through the first quarter of 2019," the researchers stated in a post.

"Our investigation revealed that at least 40 different organisations across 13 different countries were compromised during this campaign. We assess with high confidence that this activity is being carried out by an advanced, state-sponsored actor that seeks to obtain persistent access to sensitive networks and systems."

According to Talos, attackers are carrying out attacks by taking advantage of some weaknesses in the old domain name system (DNS) protocols. They also use a variety of other techniques, such as fake security certificates, to avoid detection.

The attackers first compromise a selected target through spearphishing to get a toehold on the network. Then, they target routers and servers using known exploits to exfiltrate network-specific passwords.

The stolen credentials are then used to modify the victim organisation's DNS records and to redirect visitors to a malicious server controlled by the attackers.

They imitate the login pages of their targets to steal credentials of many more employees and get deeper access into the network.

In the process, they can also obtain SSL certificates of target organisations, which can then be used across the corporate network.

According to Talos, the attackers used the technique to target Swedish DNS provider Netnod, and were able to compromise 13 root servers in the global DNS infrastructure. The successful attack on Netnod enabled attackers to steal the passwords of admins who manage Saudi Arabia's top-level domain (.sa).

According to Talos, it found several victims in Turkey, Egypt, Sweden, the United Arab Emirates and Jordan, among other countries, although security researchers refrained from providing names of the victim organisations.

ICANN, the non-profit organisation that has the responsibility to maintain the domain name system, has urged DNS server operators to take all necessary steps to secure their systems in view of the "on-going and significant" attack on DNS.

The US Department of Homeland Security also issued an alert in January, warning that attackers could re-route users to obtain certificates for the domain names of an organisation.

Delta is a new market intelligence service from Computing to help CIOs and other IT decision makers make smarter purchasing decisions - decisions informed by the knowledge and experience of other CIOs and IT decision makers.

Delta is free from vendor sponsorship or influence of any kind, and is guided by a steering committee of well-known CIOs, such as Charles Ewen, Christina Scott, Steve Capper and Laura Meyer.

Ten crucial technology areas are already covered at launch, with more data appearing and more areas being covered every week. Sign-up here for your free trial of the Computing Delta website.