Researchers at Cisco’s Talos research division discovered a hacker group targeting web and email traffic of organizations around the globe. The group dubbed ‘Sea Turtle’ has been intercepting and redirecting web traffic in a DNS hijacking campaign. This campaign known as ‘DSpionage’, takes advantage of vulnerabilities present in the internet’s core infrastructure.
Researchers have stated:
“This is a new group that is operating in a relatively unique way that we have not seen before”
The group has been active for over two year since early 2017. About 40 organizations in over a dozen countries mostly concentrated in the Middle East and North Africa (MENA) have compromised. Talos identified two groups of victims: primary targets and third-party entities. Primary targets include ministries of foreign affairs, prominent energy organization, and national security organizations. Third party entities include DNS registrars, internet service providers, and telecommunication firms.
Although the threat has been focused on the MENA area, Cisco warns this is a severe threat. They stated saying:
“we do not want to overstate the consequences of this specific campaign, we are concerned that the success of this operation will lead to actors more broadly attacking the global DNS system”
The group hijacks the DNS of organizations and points users to a malicious site. DNS hijacking is when a threat actor changes the DNS of a website to point to another website or server controlled by the actor. The attacker begins by first compromising user, specifically email and other login credentials. The attackers gained access through phishing emails and by exploiting known flaws. The attacker then replaces the legitimate DNS address with an address of his choosing. Further, the attacker is able to set DNS record values or obtain legitimate encryption certificates; this allows attackers to decrypt all intercepted email and VPN credentials.
Further, the group’s primary goal is espionage by stealing credentials and gain access to networks and system of their targets. The campaign is very persistent and have continued their attacks even during public reports of their actions.
“Notably, the threat actors have continued their attacks despite public reports documenting various aspects of their activity, suggesting they are unusually brazen and may be difficult to deter going forward. In most cases, threat actors typically stop or slow down their activities once their campaigns are publicly revealed.”
Talos is recommending that organizations to implement registry locks. Implementing a registry lock will send out messages to the organization before any changes to the DNS are made. If a registry lock is not possible, organizations to implement multi-factor authentication systems for accessing DNS records.
Contact LIFARS immediately if your organization was attacked