GlobalSign Acknowledges Breach of Web Server – Investigation Continues
GlobalSign, one of the longest established Certification Authorities (CA), acknowledged late Friday that it found evidence of a breach to a web server hosting its Web site.
“The breached web server has always been isolated from all other infrastructure and is used only to serve the www.globalsign.com website,” a statement read. “At present there is no further evidence of breach other than the isolated www web server. As an additional precaution, we continue to monitor all activity to all services closely. The investigation and high threat approach to returning services to normal continues.”
The announcement follows claims from an individual identifying himself as “Comodohacker”, a 21-year old hacker acting as an individual, saying he had compromised systems at GlobalSign. “I have access to their entire server, got DB backups, their linux / tar gzipped and downloaded, I even have private key of their OWN globalsign.com domain, hahahaa,” he wrote.
GlobalSign on Tuesday temporarily ceased issuance of all digital certificates following an initial claim that the hacker responsible for the recent compromise of Dutch Certificate Authority DigiNotar, had access to four other Certificate Authorities, naming GlobalSign as one of them.
On Wednesday, GlobalSign said that it had hired Fox-IT, the Dutch cybersecurity team tasked with investigating the DigiNotar hack. Fox-IT has been deeply involved in the investigation of the compromise of DigiNotar, and may have knowledge and experience in understanding the tactics used if, in fact, the claims are true and the individual is the same hacker. Based on ComodoHacker’s earlier claims and today’s discoveries, it’s apparent that this is the same attacker.
On Thursday, GlobalSign said it deems the claims from the hacker to represent an industry wide attack. The company mentioned that the GlobalSign CA root was created offline, and always has been offline.
“Any claim of the Comodohacker to holding a private key does not refer to the GlobalSign offline root CA. The investigation also continues,” the company posted in a statement. In response to several inquiries, the company added some clarification on Friday afternoon: “We have received several requests to explain terminology used by CAs, particularly what is meant by the GlobalSign root being offline. By ‘offline’ we mean that the Root CA Certificate is not connected to any network of any type. Root Key Material is physically (geographically) separate from any networked systems and is only ever exercised in controlled, and physically sealed offline ceremonies,” a statement said.
“All forensics are being shared with the authorities and other CAs to assist with their own investigations into other potentially related attacks,” the company wrote along with the acknowledgement of the breach.
Earlier in the week, GlobalSign said it would bring its certificate services back online on Monday, but it’s unclear if this is still the case.