Cisco Talos researchers say a nation state is likely behind a new cyberattack, dubbed Sea Turtle, that uses domain name system (DNS) hijacking to steal credentials and passwords for espionage.
While Talos won’t attribute the attacks to one particular nation state, “given the complexity involved, and the vast understanding of how DNS works, this clearly is the work of experts,” said Craig Williams, director of Talos outreach. “Had the attackers wanted to take down the DNS portion of the internet, they could have done so.”
The security researchers say that the attacks hit 40 different national security organizations in the Middle East and North Africa. But despite this specific reach, organizations in other regions should not discount the threat, said Williams.
The reason for this is two-fold, he said. First, the Sea Turtle campaign targeted third-party entities — DNS registrars, telecommunications companies, and internet service providers — in the U.S. and Sweden to go after the primary victims, which were national security organizations, ministries of foreign affairs, and energy organizations in the Middle East and North Africa.
“What that means: in order to target that specific domain, they compromised the registrar,” he said. “And anytime a registrar gets compromised, everyone else needs to be concerned, because what else did they get? Can they come back later? How were they able to do it? And can we stop it? It’s like if a bad guy breaks into your apartment building and gets into one of your neighbor’s homes, is it really not your problem?”
Sea Turtle is also significant because DNS is a foundational technology that supports the internet, and Talos is concerned that the success of this cyber campaign could lead to broader attacks against the global DNS system.
“That’s something that can comprise the security of the entire internet,” Williams said. “That type of behavior should not be accepted.”
How Sea Turtle Works
Talos says the attacks started as early as January 2017, and they compromised 40 different organizations across 13 countries. Threat actors used DNS hijacking — this means they modified DNS name records to point users to actor-controlled servers that look just like the real domains.
After gaining initial access, the attackers moved through the network to get credentials, which allowed them to steal data and access the DNS registry using the compromised credentials. Then set up a threat-actor controlled server that looked like the real website.
The research also notes that the threat actors impersonated VPN applications, such as Cisco Adaptive Security Appliance (ASA) products, for man-in-the-middle attacks.
“The man-in-the-middle server they set up would be identical to the real site for all visual purposes,” Williams said, adding that in some cases the hackers used a valid third-party SSL certificate and in other cases they stole real SSL certificates to compromise DNS registries and avoid detection.
“Meanwhile the rest of the world is being directed to the attacker’s server, and the attacker can use this to gather all the information they want, names and passwords,” he said. “We believe this is a straight-up espionage operation. They are trying to gain insight into these foreign governments and their organizations for various reasons.”
Companies can protect themselves against these types of attacks by using a registry lock service, which requires an out-of-band message before any changes can be made to an organization’s DNS record. “If you have a domain on a registrar that supports registry locking, turn on the registry lock,” Williams said.
If an organization’s registrar doesn’t offer a lock service, Williams suggests implementing multi-factor authentication. Additionally, network administrators can monitor DNS records to look for abnormal behavior.