Hacker groups going after government domains
23 April, 2019 12:05 pm
Security researchers are suspecting state-sponsored actors.
Imagine typing in a government internet address, and ending up on a website that looks like a government website, acts like a government website, but steals your data.
That's basically what happened recently to Arab governments, but also to government websites, intelligence agencies, telecommunications companies and internet giants in 13 countries, for more than two years.
The ominous news was confirmed by two cybersecurity agencies – Cisco's Talos and FireEye. They are claiming that two separate entities, one of which might be state-sponsored, are doing the dirty work.
They dubbed them DNSpionage and Sea Turtle (who comes up with these names, really?).
The attack revolves around DNS hijacking. Hackers first use spear phishing to compromise a target and get into a network. Then they scan the network for vulnerabilities, targeting servers and routers which allows them lateral movement across the network. They gather passwords along the way.
Then, using the obtained credentials, they target the organisation's DNS registrar. They update the registrar's records so that the domain name points to a server that's under hackers' control.
And boom – there you have it. One moment you're on a government website, the next – a group of hackers is sniffing through your data.
Talos says Netnod was compromised this way by Sea Turtle, and Netnod confirmed. This is a Sweden-based DNS provider, and one of the 13 root servers that powers the global DNS infrastructure.
We don't know exactly who was under assault, but we do know that hackers targeted Armenia, Egypt, Turkey, Sweden, Jordan and the United Arab Emirates.