Cybercrime group Sea Turtle attacked the organization ICS-Forth, which controls the Greek top-level domains .gr and .el.
Cisco Talos specialists first talked about the Sea Turtle grouping in April of this year, but the cybercriminals didn’t think after that to stop their activities.
“While many actors will slow down once they are discovered, this group appears to be unusually brazen, and will be unlikely to be deterred going forward”, — said in Cisco Talos.
The attackers use a very unusual technique of hacking – instead of attacking the victim directly, they gain access to domain registrar accounts and managed DNS providers and change company’s DNS settings.
By modifying the DNS records of internal servers, attackers redirect traffic destined for legitimate applications and the company’s mail servers to the servers they control, carry out a man-in-the-middle attack and intercept the credentials.
- The Domain Name System (DNS) is a hierarchical and decentralized naming system for computers, services, or other resources connected to the Internet or a private network
The above attacks are short-lived (lasting from several hours to several days) and invisible (most companies do not check the DNS settings for changes).
According to FireEye, the group acts in the interests of the Iranian government.
In order to get to the victim, Sea Turtle in not hacking into the provider’s network entirely. As reported in the first Cisco Talos report, the group hacked into the Swedish organization NetNod, which manages the traffic exchange point.
The attack allowed attackers to manipulate the DNS records for sa1[.]Dnsnode[.] Net and gain access to the credentials of the top-level domain administrator of Saudi Arabia (.sa)
In a new report, Cisco Talos tells about similar attack on the Greek organization – the Institute of Computer Science of the Foundation for Research and ICS-Forth.
“The new actor-controlled name server rootdnservers[.]com was utilized to perform DNS hijacking against three government entities that all used .gr, the Greek ccTLD. It’s likely that these hijackings were performed through the access the threat actors obtained in the ICS-Forth network”, — reported Cisco Talos specialists.
However, it is not clear for which domains attackers changed the DNS settings. After the organization notified the public about the hacking, Sea Turtle remained in its networks for another five days.
Coverage and mitigations
- Cisco Talos recommendes implementing multi-factor authentication, such as DUO, to secure the management of your organization’s DNS records at your registrar, and to connect remotely to your corporate network via a Virtual Private Network (VPN).
- Make Internet Message Access Protocol (IMAP) email servers accessible only from your corporate LAN and to users who have already authenticated over a VPN.
- If you suspect you were targeted by this type of activity, we recommend instituting a network-wide password reset, preferably from a computer on a trusted network.
- Lastly, network administrators can monitor passive DNS record on their domains, to check for abnormalitie
