Sea Turtle hacking group goes after government domains
Researchers at Cisco’s Talos cybersecurity unit have discovered a new hacker group that has targeted 40 government and intelligence agencies, telecoms and internet giants in 13 countries for more than two years.
While the new campaign bears some similarities to DNSpionage, which rerouted users from legitimate websites to a malicious server to steal their passwords, the researchers have assessed with high confidence that the campaign they’ve dubbed “Sea Turtle” is a new, separate operation.
Sea Turtle targets companies by hijacking their DNS by pointing a target’s domain name to malicious server instead of to its intended target.
The site-spoofing technique used by the hackers behind the campaign exploits long-known flaws in DNS that can be used to trick unsuspecting victims into imputing their credentials on fake login pages.
Sea Turtle
The attacks launched by Sea Turtle work by first compromising a target using spear phishing to establish a foothold on their network. Known exploits are then used to target servers and routers to move laterally inside a company’s network to obtain network-specific passwords. These credentials are then used to target an organization’s DNS registrar by updating its records so that its domain name points away from its IP address and instead to a server controlled by the hackers.
The hackers then employ a man-in-the-middle operation to impersonate login pages and obtain additional credentials to move even further into a company’s network. By using their own HTTPS certificate for the target’s domain, the attackers can make a malicious server appear genuine.
According to Talos, the hackers used this technique to compromise the Swedish DNS provider Netnod as well as one of the 13 root servers that powers the global DNS infrastructure.
The hackers also were able to gain access to the registrar that manages Armenia’s top-level domains using similar tactics.
Comments are closed.