Connect with us

Hi, what are you looking for?


Network Security

Sea Turtle’s DNS Hijacking Continues Despite Exposure

In April 2019, Cisco Talos researchers reported on an ongoing state-sponsored DNS hijacking campaign that had compromised at least 40 different organizations in 13 countries. They named the campaign Sea Turtle, and described the group as brazen and persistent. If discovered, they do not simply give up and go away.

In April 2019, Cisco Talos researchers reported on an ongoing state-sponsored DNS hijacking campaign that had compromised at least 40 different organizations in 13 countries. They named the campaign Sea Turtle, and described the group as brazen and persistent. If discovered, they do not simply give up and go away.

The warning was prescient. After the initial Talos report, the actors appear to have regrouped with new infrastructure. In particular, the researchers have detected  a new DNS hijacking technique they believe to be connected to the Sea Turtle theat actors. “While many actors will slow down once they are discovered, this group appears to be unusually brazen, and will be unlikely to be deterred going forward.”

The new technique has been used sparingly. Talos has recognized just two entities being targeted, but suspects there may be more. The ultimate target domain’s name server records are modified to direct legitimate users to an actor-controlled server. “In this case,” write the researchers, “the actor-controlled name server and the hijacked hostnames would both resolve to the same IP address for a short period of time, typically less than 24 hours.” One of the hijacked hostnames would reference an email service to allow the hackers to harvest user credentials.

In one example, a private organization had its name server records changed to point to a lookalike name server hostname that mimicked a slightly different version of the organization’s name. For just three hours, the actor-controlled IP address hosted three hostnames — the two actor-controlled name servers and the webmail hostname. During this period, Sea Turtle was able to perform a MitM attack and harvest credentials. The same process was also observed against government organizations in the Middle East and North Africa.

The nature of the Sea Turtle actors (persistent) is further shown in their compromise of the Institute of Computer Science of the Foundation for Research and Technology – Hellas (ICS-Forth), the ccTLD for Greece. One day after the first Talos Sea Turtle report, ICS-Forth acknowledged the compromise on April 19. However, Cisco telemetry confirmed that the compromise persisted for at least another five days.

Sea Turtle actors’ ‘brazen’ nature is seen by evidence that they used PHP-Proxy to search for both and “presumably to view Talos’ previous reports on DNS hijacking and this DNS hijacking advisory [PDF, titled ‘DNS hijacking activity targeting government and commercial organizations worldwide’] from the United Kingdom’s National Cyber Security Centre.”

Sea Turtle’s activity continues. The primary initial targets were countries in the Middle East and North Africa — with secondary targets in Sweden. Since the first report, Talos has now also detected primary new targets in Greece, Cyprus, Sudan and the United States. Some of the new primary targets have been identified as government organizations, energy companies, think tanks, international NGOs, and at least one airport. Secondary targets are similar to those detailed in the first report: telecommunications providers, internet service providers and one registry.

Advertisement. Scroll to continue reading.

To defeat DNS hijacking, Talos recommends that companies implement MFA at the registrar to protect DNS records, and to connect remotely to the corporate network via a VPN. Registry lock services should be implemented to force an out-of-band confirmation before the registry makes any changes to the DNS record; and DNSSEC should be enforced. Any company that suspects it has been targeted by hijacking should institute a network-wide password reset, but preferably from a computer on a trusted network.

Related: DHS Warns Federal Agencies of DNS Hijacking Attacks 

Related: Iran-Linked DNS Hijacking Attacks Target Organizations Worldwide 

Related: Ongoing DNS Hijacking Campaign Targets Gmail, PayPal, Netflix Users 

Related: Android Trojan Spreads via DNS Hijacking 

Written By

Kevin Townsend is a Senior Contributor at SecurityWeek. He has been writing about high tech issues since before the birth of Microsoft. For the last 15 years he has specialized in information security; and has had many thousands of articles published in dozens of different magazines – from The Times and the Financial Times to current and long-gone computer magazines.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content

Identity & Access

Zero trust is not a replacement for identity and access management (IAM), but is the extension of IAM principles from people to everyone and...

Cybersecurity Funding

Network security provider Corsa Security last week announced that it has raised $10 million from Roadmap Capital. To date, the company has raised $50...

Identity & Access

Hackers rarely hack in anymore. They log in using stolen, weak, default, or otherwise compromised credentials. That’s why it’s so critical to break the...

Network Security

Attack surface management is nothing short of a complete methodology for providing effective cybersecurity. It doesn’t seek to protect everything, but concentrates on areas...

Network Security

NSA publishes guidance to help system administrators identify and mitigate cyber risks associated with transitioning to IPv6.


Websites of German airports, administration bodies and banks were hit by DDoS attacks attributed to Russian hacker group Killnet

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...

Network Security

Our networks have become atomized which, for starters, means they’re highly dispersed. Not just in terms of the infrastructure – legacy, on-premises, hybrid, multi-cloud,...