A Government Hacks The Web's Phone Book, And Erodes Trust In The Internet
A group of government-backed hackers have taken over chunks of the Domain Name System (DNS), a crucial part of the Web’s infrastructure that’s often been compared to the phone book of the internet. That’s according to researchers who say the brazen attacks aren’t just damaging for the targeted companies, but for the trust in the internet as a whole.
Approximately 40 different organizations across 13 different countries were hacked as a result of the attacks, researchers from Cisco’s Talos cybersecurity arm said. Targets included national security organizations, ministries of foreign affairs and prominent energy organizations. Most were based in the Middle East and Northern Africa.
The researchers said it was one of the scarier attacks they’d seen, as it marked the moment when a government had dedicated significant resources to targeting a vital piece of the Web.
“Responsible nations should avoid targeting this system, work together to establish an accepted global norm that this system and the organizations that control it are off-limits, and cooperate in pursuing those actors who act irresponsibly by targeting this system,” the Cisco Talos researchers wrote in a report released Wednesday.
A Sea Turtle attacks
To carry out their attacks, the hackers first broke into various organizations that help run the DNS. The DNS is the portion of the Web that routes users to the right websites. When you type “forbes.com” into your browser, the DNS system is finding the right Web server that hosts all this website’s content. Once the right Web server — represented by an IP address that’ll look something like 126.96.36.199 — is found, the content can be grabbed from the server and taken to your PC or phone. The DNS system does all this by checking in with various, supposedly trusted organizations, such as internet service providers and domain registries, which keep records of which servers host which Web domains.
Those organizations make for interesting targets for hackers. If they can take control of one of them, they can alter the records and take anyone to their own website. From there, they could set up fake login pages and steal people’s usernames and passwords. That’s exactly what Cisco Talos says this group, dubbed Sea Turtle, did.
During the first stage in this latest spate of attacks, in late December and early January, the targets included domains managed by two major DNS providers, Packet Clearing House (PCH) and Netnod. PCH and Netnod both disclosed breaches earlier this year, though in its online statement the latter said “no customers who used the services during this time were affected,” but admitted that it had suffered from three attacks in January, two of which involved changes in DNS which affected a small number of customers. PCH contacted Forbes after publication, also saying none of its customers had been affected by the attacks. It said that a “compromise of a domain name registrar’s security allowed the delegation name servers for the pch.net domain to be changed to servers not controlled by PCH.”
But PCH also said it had “direct knowledge” of more than 150 victims, well above the 40 number Cisco’s cybersecurity arm provided. ”Given that, I’d be surprised if the actual number were lower than, say, 300,” said Bill Woodcock, executive director of PCH.
According to Cisco Talos, the hackers were able to alter DNS records across a number of infrastructure providers to take anyone trying to access the legitimate Web address of a target to an attacker-controlled server. From there, they would present the visitor with a login page that looked like the real thing. Except when they entered their username and password, it would be transferred to the spies. Their eventual aim was to get access to the target’s network. None of the eventual victims were named.
Though previous reports from cybersecurity companies and an advisory from the U.S. Department of Homeland Security warned about the attacks, none had pointed to a single group responsible for such targeted hacks. Peter Kruse, founder of Danish cybersecurity firm CSIS, told Forbes that he was part of a working group of around 20 researchers that had been tracking the DNS attacks and that it was now reaching out to governments, law enforcement and targets to warn them. “I can confirm a large diversity of attacks leading to multiple scenarios of attacks conducted over the past year,” he added. “It’s very large and well coordinated, and has other motivations than financial gain.”
U.S. cybersecurity firm CrowdStrike had previously named a number of countries where government and internet providers had been hit. They included Egypt, Iraq, Saudi Arabia, UAE, Kuwait, Egypt, Lebanon, Libya and Sweden.
The latter appeared to be an outlier, but Cisco Talos explained that on March 27, 2019, the Sea Turtle group targeted Swedish consulting firm Cafax. On Cafax’s public webpage, the company notes it helps manage a selection of DNS servers that were previously controlled by Netnod, which is also Swedish. “We assess with high confidence that this organization was targeted in an attempt to re-establish access to the Netnod network, which was previously compromised by this threat actor,” Cisco Talos wrote.
A spokesperson for the researchers said that “whilst they assess with high confidence that this activity was carried out by an advanced, state-sponsored actor, they are deferring to law enforcement officials on establishing attribution.” Forbes contacted the FBI and the U.K.’s NCSC for comment, but none had responded at the time of publication.
A spokesperson for the DHS Cybersecurity & Infrastructure Security Agency didn’t respond to a question on attribution but said it had looked into the attacks and found no evidence federal networks or computers were compromised. It’s now working with industry partners to close off the urgent vulnerabilities resident in the DNS system, the spokesperson added.
DNS has long been a potential disaster zone for Web security. Earlier this month, it emerged consumers were being targeted. Home routers, like those manufactured by D-Link, were being targeted by DNS hijacking to trick users into handing over login information for Gmail, Netflix and PayPal.
“The concern about DNS attacks such as we saw is that can have two underlying purposes: diverting users to fake sites in order to steal data, or disruption in general. Imagine if DNS were simply to disappear tomorrow. The disruption would be immense,” said professor Alan Woodward, cybersecurity expert at the University of Surrey.
“Until its fixed, and everyone is on the same page, DNS … will remain the soft underbelly of the Web and internet. Meanwhile, everyday, we become more dependent on these structures. It’s not a happy thought.”
This article was updated at 10.30 am BST to include PCH’s comments and its claim that there were more than 150 victims.