Hackers backed by a nation-state have successfully hijacked Domain Name System records to steal credentials from approximately 40 public and private entities across 13 countries in an attack that’s lasted for about two years, Cisco’s Talos research team says in a report published Wednesday.
The ongoing attack — dubbed “Sea Turtle” by the researchers — targets intelligence agencies, military organizations, and energy firms, as well as foreign ministries, telecommunications companies, and internet service providers. The attackers are “highly capable” and “unusually brazen,” the researchers say, but the report does not specify what country may be behind the attack. FireEye has indicated Iran is likely responsible for an attack that appears similar, but which Cisco claims is distinct from this new campaign.
DNS hijacking involves gaining control of a target’s DNS records — the information that ties a “human friendly” web address to an actual IP address — without flagging to the victims that they’re under attack. Attackers are then capable of rerouting traffic to what appears to be a legitimate website, but which is actually an attacker-controlled server that allows them to conduct further pilfering of credentials.
“I would go so far as to say [attribution] would be irresponsible given that we know nation-states are intentionally planting false flags,” Cisco’s Craig Williams told CyberScoop. In an email, FireEye’s director of intelligence, John Hultquist, said his company also is tracking “potentially other states” that may conduct DNS hijacking attacks.
Cisco assesses with “high confidence” that this attack is different from the DNSpionage campaign Talos unveiled last year as well, in part because the threat actors in this new campaign have been more aggressive with their targeting of DNS registries and registrars — the attackers have used 16 servers to help them complete their hijacking, in addition to the actor-controlled server IP addresses exposed in previous reports.
Especially concerning for experts in this case is the fact that the hackers have persisted in their attacks despite public naming and shaming of operations. “Normally when you catch a nation-state actor…they stop. But in this particular case, they didn’t,” Williams said. “They don’t care about being caught.”
The threat actors have begun each attack by launching spearphishing or other hacking campaigns to steal credentials from organizations. Eventually, after the hackers have gained control of the target’s DNS records, the hackers reroute victims from what appears to be a legitimate website through an attacker-controlled server. It is through these so-called man in the middle servers that the threat actors steal credentials again, and which give this kind of attack their label as a man in the middle attack.
The hackers have been particularly difficult to trace because they have taken measures to conceal the operation. For instance, the hackers have concealed their operation by using “certificate impersonation,” including via Let’s Encrypts, Comodo, and Sectigo, per Cisco. The actors also have been stealing the secure socket layer (SSL) certificate of the network.
“The industry advice from the late 90’s suggesting end-users ‘look for the padlock’ won’t cut it,” said Ben April, CTO of the threat intelligence vendor Farsight Security. “There are plenty of sites using [domain validation] because they only want to prevent eavesdropping, that works fine.”
The only tipoff to the user that something may be amiss is an unusually long lag time, and most network defense services will not flag anything suspicious because users are entering legitimate credentials. Most intrusion monitoring and prevention systems aren’t designed to monitor or log DNS requests.
“The real problem is that people that are being targeted don’t know they’re being targeted,” Williams said. “There’s really nothing they can do to prevent this.”
Registry locks could be used to defend against targeted domain redirects, per Cisco. Williams notes, however, that “the sad reality is not all registrars support registry lock. In those particular cases you absolutely have to turn on two-factor authentication,” he said. If that is not possible, patching internet-facing machines can be helpful, as can using multi-factor authentication, which DHS recommended earlier this year.
DNS hijacking campaigns have been exposed in several ways in the last few months. In addition to Cisco’s research on DNSPionage, FireEye has issued a report on a similar matter and the U.S. Department of Homeland Security issued an alert to administrators about hijacking. The actors identified by Cisco in Wednesday’s report were also behind the first publicly confirmed case of a domain name registry organization that’s been compromised for cyber-espionage purposes, researchers said.
Moving forward, a Department of Homeland Security Cybersecurity and Infrastructure Security Agency official told CyberScoop the agency “plans to expand on the best practices and insights” and share updated DNS management guidance for “the federal civilian executive branch.”
On a broader scale, while the scope of the attack is mission-driven as is, the attack is concerning to Cisco researchers because they fear the methods used in this campaign could be replicated to attack the DNS system across the globe. “I don’t think this group is going to be that big of a concern. I think copy cats are going to be a problem,” Williams said. “There’s multiple nation-states” that could go after this.
April says this “clearly indicates that operators of global DNS and domain registration infrastructure are in the cross-hairs. Depending on the extent of access, a compromise at a registry, registrar, or root-server operator might put at risk any namespace that the targeted entity maintains.”
The CISA official told CyberScoop the recent DNS attacks have “demonstrated true weaknesses in the DNS ecosystem that served as a wakeup call for the federal government and our partners.”