The discovery of a new, sophisticated team of hackers spying on dozens of government targets is never good news. But one team of cyberspies has pulled off that scale of espionage with a rare and troubling trick, exploiting a weak link in the internet's cybersecurity that experts have warned about for years: DNS hijacking, a technique that meddles with the fundamental address book of the internet.
Researchers at Cisco's Talos security division on Wednesday revealed that a hacker group it's calling Sea Turtle carried out a broad campaign of espionage via DNS hijacking, hitting 40 different organizations. In the process, they went so far as to compromise multiple country-code top-level domains—the suffixes like .co.uk or .ru that end a foreign web address—putting all the traffic of every domain in multiple countries at risk.
The hackers' victims include telecoms, internet service providers, and domain registrars responsible for implementing the domain name system. But the majority of the victims and the ultimate targets, Cisco believes, were a collection of mostly governmental organizations, including ministries of foreign affairs, intelligence agencies, military targets, and energy-related groups, all based in the Middle East and North Africa. By corrupting the internet's directory system, hackers were able to silently use "man in the middle" attacks to intercept all internet data from email to web traffic sent to those victim organizations.
DNS hijacking targets the Domain Name System, the pillar of internet architecture that translates the domain name you type into your browser, such as "google.com," into the IP address that represents the actual computer where that service is hosted, such as "64.233.191.255." Corrupt that system, and hackers can redirect that domain to any IP address they choose. Cisco Talos researcher Craig Williams says the Sea Turtle campaign is disturbing not only because it represents a series of brazen cyberspying operations but also because it calls into question that basic trust model of the internet.
"When you're on your computer and visit your bank, you assume DNS servers will tell you the truth," Williams says. "Unfortunately what we're seeing is that, from a regional perspective, someone has broken that trust. You go to a website and it turns out you don’t have any guarantee of who you’re talking to."
Hackers have used DNS hijacking plenty of times in years past, for everything from crude website defacements to another apparent espionage campaign, labelled DNSpionage, uncovered by Cisco Talos in late 2018 and linked to Iran early this year. Cisco's Williams says that other security firms have misattributed some of Sea Turtle's operations, confusing them with those of the DNSpionage campaign. But the Sea Turtle campaign represents a distinct and more serious series of security breaches, he argues.
"Anyone in control of a top level domain can add, remove, and delete records, or redirect domains and do a subversive man-in-the-middle attack," says David Ulevitch, founder of the DNS-focused firm OpenDNS and now a partner at venture capital firm Andreessen Horowitz. "That can have tremendous security implications for anyone with a domain under that TLD."
Cisco Talos said it couldn't determine the nationality of the Sea Turtle hackers, and declined to name the specific targets of their spying operations. But it did provide a list of the countries where victims were located: Albania, Armenia, Cyprus, Egypt, Iraq, Jordan, Lebanon, Libya, Syria, Turkey, and the United Arab Emirates. Cisco's Craig Williams confirmed that Armenia's .am top-level domain was one of the "handful" that were compromised, but wouldn't say which of the other countries' top-level domains were similarly hijacked.
Cisco did name two of the DNS-related firms who were targeted by the Sea Turtle hackers: The Swedish infrastructure organization NetNod and Berkeley-based Packet Clearing House, both of whom have acknowledged in February that they had been hacked. Cisco said the attackers had burrowed into those initial target networks with traditional means, such as spearphishing emails, and a toolkit of hacking tools designed to exploit known but unpatched vulnerabilities.
Those initial targets were only a stepping stone. Once the Sea Turtle hackers gained full access to a domain registrar, their spying operations followed a predictable pattern, according to Cisco's researchers. The hackers would change the target organization's domain registration to point to their own DNS servers—the computers that perform the DNS translation of domains into IP addresses—instead of the victim's legitimate ones. When users then attempted to reach the victim's network, whether through web, email, or other internet communications, those malicious DNS servers would redirect the traffic to a different man-in-the-middle server that intercepted and spied on all the communications before passing them on to their intended destination.
That sort of man-in-the-middle attack should be prevented by SSL certificates, which are meant to assure that the recipient of encrypted internet traffic is who it claims to be. But the hackers simply used spoofed certificates from Let's Encrypt or Comodo, which were able to trick users with signs of legitimacy like the lock symbol in a browser's URL bar.
With that stealthy man-in-the-middle server in place, the hackers would harvest usernames and passwords from the intercepted traffic. Using those stolen credentials and their hacking tools, the attackers could in some cases penetrate deeper into the target network. In the process, they would steal a legitimate SSL certificate from the victim that allowed them to make their man-in-the-middle server look even more legit. To avoid detection, the hackers dismantled their set-up after no more than a couple of days—but only after they'd intercepted vast troves of the target organization's data, and the keys to enter its network at will.
A disturbing element of the Sea Turtle hackers' approach—and DNS hijacking in general—is that the point of initial compromise occurs at internet infrastructure groups, entirely outside the real target's network. "The victim would never see it," Williams says.
In early 2019, security firms including FireEye and Crowdstrike publicly exposed parts of the Sea Turtle operation, Cisco's Williams says, mistakenly thinking it they were part of the DNSpionage campaign. Despite that exposure, Sea Turtle's campaign persisted, Williams says. The group even attempted to compromise NetNod again.
Sea Turtle isn't alone in its enthusiasm for DNS hijacking. The technique is growing in popularity among hackers, but particularly in the Middle East, notes Sarah Jones, a principal analyst at FireEye. "We’ve definitely seen more actors pick it up, and of all skills levels," Jones says. "It's another tool in the arsenal, like web-scanning and phishing. And I think a lot of the groups that pick it up are finding that it’s not hardened on enterprise networks, because it's not part of the network. No one really thinks about who their [domain] registrar is."
One solution to the DNS hijacking epidemic is for organizations to implement a "registry lock," a security measure that requires a registrar to take extra authentication steps and communicate with a customer before the customer's domain settings can be changed. The US Department of Homeland Security went so far as to issue an alert to American network administrators to check their domain registrar's authentication settings in January, which was issued in response to reports of DNS hijacking from NetNod and Packet Clearing House according to latter company's executive director Bill Woodcock.
But Cisco's Williams says many country's top-level domain registrars still don't offer registry locks, leaving customers in a state of uncertainty. "If you’re in those countries, how do you trust that your DNS system is working again?" he asks.
All of that means DNS will likely only grow as a hacking vector, Williams says. "Even when Sea Turtle was caught, they haven’t stopped. They’ve built this seemingly repeatable methodology, and they're out there breaking the trust model of the internet," Williams says. "And when others see that these techniques are successful, they’re going to copy them."
Corrected 4/18/2019 10:00pm EST: A previous version of the story at one point incorrectly referred to DNS providers instead of domain registrars, misstated some of the effects of spoofed SSL certificates, and stated that the DHS alert was in response to security firms' findings rather than reports from NetNod and Packet Clearing House.
- 15 months of fresh hell inside Facebook
- The time Tim Cook stood his ground against the FBI
- What to expect from Sony's next-gen PlayStation
- How to make your smart speaker as private as possible
- A new strategy for treating cancer, thanks to Darwin
- 🏃🏽♀️ Looking for the best tools to get healthy? Check out our Gear team's picks for the best fitness trackers, running gear (including shoes and socks), and best headphones.
- 📩 Get even more of our inside scoops with our weekly Backchannel newsletter
