A new state-backed hacker group is hijacking government domains at a phenomenal pace

The hackers exploit flaws in the domain name system to carry out espionage

A few months ago, researchers at Cisco’s Talos cybersecurity unit sounded the alarm after discovering a previously undiscovered hacker group targeting a core part of the internet’s infrastructure.

Their alarm was heard: FireEye quickly came out with new intelligence warning of a “global” domain name hijacking campaign targeting websites of predominantly Arab governments. The campaign, dubbed “DNSpionage,” rerouted users from a legitimate web address to a malicious server to steal passwords. Homeland Security warned the U.S. government had been targeted, and ICANN, the nonprofit charged with keeping the internet’s address book, said the domain name system (DNS) was under an “ongoing and significant” attack and urged domain owners to take action.

Now, Talos researchers say they have found another highly advanced hacker group, likely backed by a nation-state, which they say has targeted 40 government and intelligence agencies, telecom firms and internet giants in 13 countries for more than two years.

“This is a new group that is operating in a relatively unique way that we have not seen before.” Craig Williams, Cisco Talos

“We assess with high confidence that these operations are distinctly different and independent from the operations performed by DNSpionage,” said the Talos report, out Wednesday and seen by TechCrunch.

The group, which Talos calls “Sea Turtle” — an internal codename that ended up sticking — similarly targets companies by hijacking their DNS. That allows the hackers to point a target’s domain name to a malicious server of their choosing. This clever site-spoofing technique exploits long-known flaws in DNS that can be used to trick unsuspecting corporate victims into turning over their credentials on fake login pages, which the hackers can use for further compromise.

“This is a new group that is operating in a relatively unique way that we have not seen before, using new tactics, techniques, and procedures,” Craig Williams, director, outreach at Cisco Talos, told TechCrunch.

The hackers first compromise an intended target using spearphishing to get a foothold on the network, then use known exploits to target servers and routers to move laterally and obtain and exfiltrate network-specific passwords. The hackers then use those credentials to target the organization’s DNS registrar by updating its records so that the domain name points away from the IP address of the target’s server to a server controlled by the hackers.

Once the target’s domain is pointing to the malicious server, the hackers can run a man-in-the-middle operation to impersonate login pages and scrape the usernames and passwords of the staff as a way of getting deeper access into the network. The hackers also used their own HTTPS certificate for the target’s domain from another provider to make the malicious server look like the real thing.

With the credentials for greater network access in hand, the hackers aim to obtain the target’s SSL certificates used across the corporate network, granting greater visibility into the organization’s operations. The attackers also stole the SSL certificates used in security appliances, like virtual private networks (VPN), which were used to steal credentials to gain access to the organization’s network from outside its walls.

Using this same technique, Talos said the hacker group compromised Netnod, a DNS provider in Sweden and one of the 13 root servers that powers the global DNS infrastructure. In February, Netnod confirmed its infrastructure was hijacked. The successful attack allowed the hackers to steal the passwords of administrators who manage Saudi Arabia’s top-level domain — .sa — suggesting other Saudi-based companies could be in the hacker group’s crosshairs.

Williams said Talos can “conclusively” link the Sea Turtle hackers to the Netnod attack.

In another case, the hackers gained access to the registrar that manages Armenia’s top-level domains, allowing the group to potentially target any .am domain name.

Talos wouldn’t name the targets of the attacks nor name the registrars at risk, citing the risk of further or copycat attacks — and the researchers wouldn’t name the state likely behind the group, instead deferring to the authorities to attribute. But the researchers said Armenia, along with Egypt, Turkey, Sweden, Jordan and the United Arab Emirates were among the countries where it found victims.

Given the eventual targets included internet and telecom infrastructure companies, foreign ministries and intelligence agencies in the Middle East and Africa, Williams said the group’s primary motivations are to conduct espionage.

Sea Turtle is said to be “highly capable,” said the researchers’ findings, and the hackers are able to maintain long-term access by using the stolen credentials.

The researchers urged companies to begin using DNSSEC, a cryptographically more secure domain name system that’s far tougher to spoof, and employ two-factor on an organization’s DNS records.

“While this incident is limited to targeting primarily national security organizations in the Middle East and North Africa, and we do not want to overstate the consequences of this specific campaign, we are concerned that the success of this operation will lead to actors more broadly attacking the global DNS system,” the researchers said.