In April 2019, Cisco Talos researchers reported on an ongoing state-sponsored DNS hijacking campaign that had compromised at least 40 different organizations in 13 countries. They named the campaign Sea Turtle, and described the group as brazen and persistent. If discovered, they do not simply give up and go away.
The warning was prescient. After the initial Talos report, the actors appear to have regrouped with new infrastructure. In particular, the researchers have detected a new DNS hijacking technique they believe to be connected to the Sea Turtle theat actors. “While many actors will slow down once they are discovered, this group appears to be unusually brazen, and will be unlikely to be deterred going forward.”
The new technique has been used sparingly. Talos has recognized just two entities being targeted, but suspects there may be more. The ultimate target domain’s name server records are modified to direct legitimate users to an actor-controlled server. “In this case,” write the researchers, “the actor-controlled name server and the hijacked hostnames would both resolve to the same IP address for a short period of time, typically less than 24 hours.” One of the hijacked hostnames would reference an email service to allow the hackers to harvest user credentials.
In one example, a private organization had its name server records changed to point to a lookalike name server hostname that mimicked a slightly different version of the organization’s name. For just three hours, the actor-controlled IP address hosted three hostnames — the two actor-controlled name servers and the webmail hostname. During this period, Sea Turtle was able to perform a MitM attack and harvest credentials. The same process was also observed against government organizations in the Middle East and North Africa.
The nature of the Sea Turtle actors (persistent) is further shown in their compromise of the Institute of Computer Science of the Foundation for Research and Technology – Hellas (ICS-Forth), the ccTLD for Greece. One day after the first Talos Sea Turtle report, ICS-Forth acknowledged the compromise on April 19. However, Cisco telemetry confirmed that the compromise persisted for at least another five days.
Sea Turtle actors’ ‘brazen’ nature is seen by evidence that they used PHP-Proxy to search for both blog.talosintelligence.com and ncsc.gov.uk “presumably to view Talos’ previous reports on DNS hijacking and this DNS hijacking advisory [PDF, titled ‘DNS hijacking activity targeting government and commercial organizations worldwide’] from the United Kingdom’s National Cyber Security Centre.”
Sea Turtle’s activity continues. The primary initial targets were countries in the Middle East and North Africa — with secondary targets in Sweden. Since the first report, Talos has now also detected primary new targets in Greece, Cyprus, Sudan and the United States. Some of the new primary targets have been identified as government organizations, energy companies, think tanks, international NGOs, and at least one airport. Secondary targets are similar to those detailed in the first report: telecommunications providers, internet service providers and one registry.
To defeat DNS hijacking, Talos recommends that companies implement MFA at the registrar to protect DNS records, and to connect remotely to the corporate network via a VPN. Registry lock services should be implemented to force an out-of-band confirmation before the registry makes any changes to the DNS record; and DNSSEC should be enforced. Any company that suspects it has been targeted by hijacking should institute a network-wide password reset, but preferably from a computer on a trusted network.
Related: DHS Warns Federal Agencies of DNS Hijacking Attacks
Related: Iran-Linked DNS Hijacking Attacks Target Organizations Worldwide
Related: Ongoing DNS Hijacking Campaign Targets Gmail, PayPal, Netflix Users
Related: Android Trojan Spreads via DNS Hijacking