Researchers at Cisco’s Talos cybersecurity unit have discovered a new hacker group that has targeted 40 government and intelligence agencies, telecoms and internet giants in 13 countries for more than two years.
While the new campaign bears some similarities to DNSpionage, which rerouted users from legitimate websites to a malicious server to steal their passwords, the researchers have assessed with high confidence that the campaign they’ve dubbed “Sea Turtle” is a new, separate operation.
Sea Turtle targets companies by hijacking their DNS by pointing a target’s domain name to malicious server instead of to its intended target.
The site-spoofing technique used by the hackers behind the campaign exploits long-known flaws in DNS that can be used to trick unsuspecting victims into imputing their credentials on fake login pages.
The attacks launched by Sea Turtle work by first compromising a target using spear phishing to establish a foothold on their network. Known exploits are then used to target servers and routers to move laterally inside a company’s network to obtain network-specific passwords. These credentials are then used to target an organization’s DNS registrar by updating its records so that its domain name points away from its IP address and instead to a server controlled by the hackers.
The hackers then employ a man-in-the-middle operation to impersonate login pages and obtain additional credentials to move even further into a company’s network. By using their own HTTPS certificate for the target’s domain, the attackers can make a malicious server appear genuine.
According to Talos, the hackers used this technique to compromise the Swedish DNS provider Netnod as well as one of the 13 root servers that powers the global DNS infrastructure.
The hackers also were able to gain access to the registrar that manages Armenia’s top-level domains using similar tactics.
While Talos has not revealed which state is behind the group, its researchers say that Sea Turtle is “highly capable” and have provided mitigation instructions in a blog post, saying:
“Talos suggests using a registry lock service, which will require an out-of-band message before any changes can occur to an organization’s DNS record. If your registrar does not offer a registry lock service, we recommend implementing multi-factor authentication, such as DUO, to access your organization’s DNS records. If you suspect you were targeted by this type of activity intrusion, we recommend instituting a network-wide password reset, preferably from a computer on a trusted network. Lastly, we recommend applying patches, especially on internet-facing machines. Network administrators can monitor passive DNS record on their domains, to check for abnormalities.”
- Protect your online privacy with the best VPN