The discovery of a new, sophisticated team of hackers spying on dozens of government targets is never good news. But one team of cyberspies has pulled off that scale of espionage with a rare and troubling trick, exploiting a weak link in the internet’s cybersecurity that experts have warned about for years: DNS hijacking, a technique that meddles with the fundamental address book of the internet.
Researchers at Cisco’s Talos security division on Wednesday revealed that a hacker group it’s calling Sea Turtle carried out a broad campaign of espionage via DNS hijacking, hitting 40 different organizations. In the process, they went so far as to compromise multiple country-code top-level domains—the suffixes like .co.uk, or .ru, that end a foreign web address—putting all the traffic of every domain in multiple countries at risk.
The hackers’ victims include telecoms, internet service providers, and domain registrars responsible for implementing the domain name system. But the majority of the victims and the ultimate targets, Cisco believes, were a collection of mostly governmental organizations including ministries of foreign affairs, intelligence agencies, military targets, and energy-related groups, all based in the Middle East and North Africa. By corrupting the internet’s directory system, hackers were able to silently use “man-in-the-middle” attacks to intercept all internet data from email to web traffic sent to those victim organizations.
Top Level Dilemma
DNS hijacking targets the Domain Name System, the pillar of internet architecture that translates the domain name you type into your browser, such as “google.com” into the IP address that represents the actual computer where that service is hosted, such as “22.214.171.124.” Corrupt that system, and hackers can redirect that domain to any IP address they choose. Cisco Talos researcher Craig Williams says the Sea Turtle campaign is disturbing not only because it represents a series of brazen cyberspying operations, but also because it calls into question that basic trust model of the internet.
“When you’re on your computer and visit your bank, you assume DNS servers will tell you the truth,” Williams says. “Unfortunately what we’re seeing is that from a regional perspective, someone has broken that trust. You go to a website and it turns out you don’t have any guarantee of who you’re talking to.”
“If you’re in those countries, how do you trust that your DNS system is working again?”
Craig Williams, Cisco Talos
Hackers have used DNS hijacking plenty of times in years past, for everything from crude website defacements to another apparent espionage campaign, labelled DNSpionage, uncovered by Cisco Talos in late 2018 and linked to Iran early this year. Cisco’s Williams says that other security firms have misattributed some of Sea Turtle’s operations with those of the DNSpionage campaign. But the Sea Turtle campaign represents a distinct and more serious series of security breaches, he argues.
“Anyone in control of a top level domain can add, remove, and delete records, or redirect domains and do a subversive man-in-the-middle attack,” says David Ulevitch, founder of the DNS-focused firm OpenDNS, who’s now a partner at venture capital firm Andreesen Horowitz. “That can have tremendous security implications for anyone with a domain under that TLD.”
Cisco Talos said it couldn’t determine the nationality of the Sea Turtle hackers, and declined to name the specific targets of their spying operations. But it did provide a list of the countries where victims were located: Albania, Armenia, Cypress, Egypt, Iraq, Jordan, Lebanon, Libya, Syria, Turkey, and the United Arab Emirates. Cisco’s Craig Williams confirmed that Armenia’s .am top-level domain was one `of the “handful” that were compromised, but wouldn’t say which of the other countries’ top-level domains were similarly hijacked.
Cisco did name two of the DNS-related firms who were targeted by the Sea Turtle hackers: The Swedish infrastructure organization NetNod and Berkeley-based Packet Clearinghouse, both of whom have acknowledged in February that they had been hacked. Cisco said the attackers had burrowed into those initial target networks with traditional means, such as spearphishing emails, and a toolkit of hacking tools designed to exploit known but unpatched vulnerabilities.
Those initial targets were only a stepping stone. Once the Sea Turtle hackers gained full access to a DNS provider, their spying operations followed a predictable pattern, according to Cisco’s researchers. The hackers would change the target organization’s domain registration to point to their own DNS servers—the computers that perform the DNS translation of domains into IP addresses—instead of the victim’s legitimate ones. When users then attempted to reach the victim’s network, whether through web, email, or other internet communications, those malicious DNS servers would redirect the traffic to a different man-in-the-middle server that intercepted and spied on all the communications before passing them on to their intended destination.
That sort of man-in-the-middle attack should be prevented by SSL certificates, which are meant to assure that the recipient of encrypted internet traffic is who it claims to be. But the hackers simply used spoofed certificates from Let’s Encrypt or Comodo, invalid on close inspection but still able to trick users with signs of legitimacy, like a lock symbol in a browser’s URL bar.
With that stealthy man-in-the-middle server in place, the hackers would harvest usernames and passwords from the intercepted traffic. Using those stolen credentials and their hacking tools, the attackers could in some cases penetrate deeper into the target network. In the process, they would steal a legitimate SSL certificate from the victim that allowed them to make their man-in-the-middle server look even more legit. To avoid detection, the hackers dismantled their set-up after no more than a couple of days—but only after they’d intercepted vast troves of the target organization’s data, and the keys to enter its network at will.
A disturbing element of the Sea Turtle hackers’ approach—and DNS hijacking in general—is that the point of initial compromise occurs at internet infrastructure groups, entirely outside the real target’s network. “The victim would never see it,” Williams says.
Breaking the Trust Model
In early 2019, security firms including FireEye and Crowdstrike publicly exposed parts of the Sea Turtle operation, Cisco’s Williams says, mistakenly thinking it they were part of the DNSpionage campaign. Despite that exposure, Sea Turtle’s campaign persisted, Williams says. The group even attempted to compromise NetNod again.
Sea Turtle isn’t alone in its enthusiasm for DNS hijacking. The technique is growing in popularity among hackers, but particularly in the Middle East, notes Sarah Jones, a principal analyst at FireEye. “We’ve definitely seen more actors pick it up, and of all skills levels,” Jones says. “It’s another tool in the arsenal, like web-scanning and phishing. And I think a lot of the groups that pick it up are finding that it’s not hardened on enterprise networks, because it’s not part of the network. No one really thinks about who their [domain] registrar is.”
One solution to the DNS hijacking epidemic is for organizations to implement a “registry lock,” a security measure that requires a registrar to take extra authentication steps and communicate with a customer before the customer’s domain settings can be changed. The US Department of Homeland Security went so far as to issue an alert to American network administrators to check their domain registrar’s authentication settings in January, in response to the DNSpionage findings from Cisco and FireEye.
But Williams says many country’s top-level domain registrars still don’t offer registry locks, leaving customers in a state of uncertainty. “If you’re in those countries, how do you trust that your DNS system is working again?” he asks.
All of that means DNS will likely only grow as a hacking vector, Williams says. “Even when Sea Turtle was caught, they haven’t stopped. They’ve built this seemingly repeatable methodology, and they’re out there breaking the trust model of the internet,” Williams says. “And when others see that these techniques are successful, they’re going to copy them.”