Threat Management, Threat Management, Threat Intelligence

‘Brazen’ nation-state actors behind ‘Sea Turtle’ DNS hijacking campaign

State-sponsored hackers are behind a large-scale DNS hijacking campaign that since January 2017 has been responsible for compromising at least 40 organizations across 13 countries, researchers from Cisco Talos have reported.

Primarily targeting the Middle East and North Africa, the attackers are looking to harvest credentials that grant them access to sensitive networks belonging to national institutions such as intelligence agencies, military units and ministries of foreign affairs, as well as energy organizations. But in order to compromise these victims, the perpetrators typically first compromise their third-party internet and DNS service providers, such as telecommunications firms, ISPs, IT firms, registrars and registries.

In a company blog post, the researchers express concern that the operation could inspire copycat attacks against the global DNS infrastructure, ultimately undermining trust in the internet. "Responsible nations should avoid targeting this system, work together to establish an accept global norm that this system and the organizations that control it are off-limits, and cooperate in pursuing those actors who act irresponsibly by targeting this system," states the post, written by Talos researchers Danny Adamitis, David Maynor, Warren Mercer, Matthew Olney and Paul Rascagneres.

A recent spate of global DNS hijackings have caught the attention of the cybersecurity community in 2019, especially after a Jan. 24 U.S. Department of Homeland Security alert detailing such activities, plus a series of industry reports detailing recent hijacking campaigns that FireEye suggested could be linked to Iran. In its own previous report, Talos referred to one such campaign, focusing on Lebanon- and United Arab Emirates-affiliated .gov domains, as DNSpionage.

But this campaign, dubbed Sea Turtle, is reportedly its own distinct operation that potentially poses an even greater threat than its predecessors due to its meddling with actual DNS registries and registrars. Indeed, Talos says this "highly capable and brazen" group is responsible for the first publicly confirmed case of a DNS registry compromise: a Jan. 2, 2019 infiltration of Sweden-based Netnod. Other DNS service providers affected in the same two-year-plus campaign are based in the U.S.

Generally, the Sea Turtle attackers begin a campaign by compromising a DNS service provider via spear phishing or vulnerability exploit and acquiring the necessary credentials to make registry changes affecting targeted users of this service. Consequently, web users attempting to visit a targeted organization's website would instead be secretly sent to a malicious man-in-the-middle server that spoofs the legitimate service they are attempting to use. The server captures these visitors' website credentials as they are entered, and then quickly dispatches the users to the real website before suspicions arise.

In one instance, the adversaries were actually about to compromise the registrars that manage Armenia's country code top-level domain .am, meaning the hackers could have potentially hijacked any domain using that ccTLD. Outside of Armenia, other primary cyber espionage targets were located in Albania, Cyprus, Egypt, Iraq, Jordan, Lebanon, Libya, Syria, Turkey and the UAE.

Notably, the threat actors were able to gain access to registrars that manage ccTLDs for Amnic, which is listed as the technical contact on IANA for the ccTLD .am. Obtaining access to this ccTLD registrars would have allowed attackers to hijack any domain that used those ccTLDs.

According to Talos, Sea Turtle is unique among other DNS hijacking campaigns due to its unusually aggressive nature, its use of actor-controller name servers, its use of certification impersonation techniques to make its man-in-the-middle servers seem credible, and its penchant for stealing organizations' legit SSL certificates to use on actor-controlled servers.

To help mitigate the threat, Talos has recommended several precautionary steps, including but not limited to using a registry lock service or instituting multi-factor authentication for accessing DNS records.

Justin Jett, director of audit and compliance for network and security intelligence platform provider Plixer, had additional suggestions: "While monitoring certificate transparency logs for your domain is important, it is more important to establish policies for your domains and determine which providers can sign a certificate for your domain. Specifically, organizations should add a “CAA” record to their domain to only allow authorized certificate authorities to sign certificates," Jett said in emailed comments. "While an obvious solution, DNSSEC is not regularly deployed, but organizations should invest in deploying it because it significantly reduces the ability of a hacker to broadly compromise a domain. Finally, network traffic analytics should be deployed on the network to understand how DNS may be used by hackers."

"Exploiting a weak link the internet's security meddles with the fundamental address book of the internet which not only makes this attack by Sea Turtle rare but also disturbing as it calls into question our basic trust model of the internet," said Casey Ellis, founder and CTO of bug bounty platform provider Bugcrowd. "Though the bulk of the attack was on government bodies, what makes this stand out is their approach. This trickle down approach may start with governments that are supposed to be the first line of defense and once that is broken, so will the trust of the people. A radical shift in approach is needed."

"Attackers are recognizing that DNS – from registrar, to authoritative DNS, to recursive – is a relative weak point in the mitigation strategies of enterprises, governments, and other organizations relative to the potential malicious impact they can have by attacking DNS. Previous attacks also compromised the registrar in some cases, but this is more significant, said Kris Beevers, CEO of traffic and DNS management company NS1. "The bad actors are exploring all the angles they can to take advantage of this weak point, and we will continue to see attacks against the DNS control plane (registrars, authoritative DNS systems) and against the caching hierarchy of DNS (e.g. DNS poisoning attacks) until target organizations raise the barrier to impact and widely implement well-known best practice domain security measures... "


Bradley Barth

As director of multimedia content strategy at CyberRisk Alliance, Bradley Barth develops content for online conferences, webcasts, podcasts video/multimedia projects — often serving as moderator or host. For nearly six years, he wrote and reported for SC Media as deputy editor and, before that, senior reporter. He was previously a program executive with the tech-focused PR firm Voxus. Past journalistic experience includes stints as business editor at Executive Technology, a staff writer at New York Sportscene and a freelance journalist covering travel and entertainment. In his spare time, Bradley also writes screenplays.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.