Despite being publicly exposed earlier this year, the actors behind the malicious Sea Turtle DNS hijacking campaign continue to unabashedly rack up new victims, and apparently added a new technique to their repertoire, a new report states.
The group made waves last April when researchers at Cisco’s Talos unit reported that the attackers have been compromising internet and DNS service providers in order to reroute some of their clients’ website visitors to a malicious man-in-the-middle server. This server, which spoofs the legitimate website or online service, secretly captures these visitors’ website credentials so they can be harvested. Targeted customers have primarily consisted of Middle Eastern and North African government institutions, military units and energy organizations.
In a new report published yesterday, Talos revealed that the same group, from April 19 – 24, accessed the network of The Institute of Computer Science of the Foundation for Research and Technology – Hellas (ICS-Forth), the organization that oversees the ccTLD for Greece.
Moreover, the command-and control node used to interact with the ICS-Forth network was also used “to access an organization in Syria that was previously redirected using the actor-controlled name server ns1[.]intersecdns[.]com. This indicates that the same threat actors were behind both operations,” said a Cisco blog post written by Talos researcher Danny Adamitis, with contributions from colleague Paul Rascagneres.
Meanwhile, Talos researchers said they are moderately confident that Sea Turtle has dabbled in a new technique for rerouting website visitors from their intended destination to a malicious server through modification of the target domain’s name server records.
“In this case, the actor-controlled name server and the hijacked hostnames would both resolve to the same IP address for a short period of time, typically less than 24 hours,” the blog post explained.
Talos believes the technique has only been used twice. “In both observed cases, one of the hijacked hostnames would reference an email service and the threat actors would presumably harvest user credentials. One aspect of this technique that makes it extremely difficult to track is that the actor-controlled name servers were not used across multiple targets, meaning that every entity hijacked with this technique had its own dedicated name server hostname and its own dedicated IP address.”
Further investigation by Talos also turned up a recently registered actor-controlled nameserver, rootdnservers[.]com, and new IP addresses tied to man-in-the-middle activity.
Talos also noted that since its previous Sea Turtle report, the group has targeted even more government organizations and energy companies, as well as think tanks, international non-governmental organizations and at least one airport.