News Local WIRED: Entire internet domain of Cyprus could have been hijacked in internet...

WIRED: Entire internet domain of Cyprus could have been hijacked in internet espionage campaign

Researchers at Cisco’s Talos security division on Wednesday revealed that a hacker group carried out a broad campaign of espionage via DNS hijacking, hitting 40 different, mainly governmental, organisations in countries of the Middle East and North Africa, including Cyprus.

The group, named “Sea Turtle” is believed to have compromised multiple country-code top-level domains—the suffixes like .gov.cy or .co.uk that end a foreign web address—putting all the traffic of every domain in multiple countries at risk.

The hackers’ victims include telecoms, internet service providers, and domain registrars responsible for implementing the domain name system.

But the majority of the victims and the ultimate targets, Cisco believes, were a collection of mostly governmental organisations, including ministries of foreign affairs, intelligence agencies, military targets, and energy-related groups, all based in the Middle East and North Africa.

Cisco Talos said it couldn’t determine the nationality of the Sea Turtle hackers, and declined to name the specific targets of their spying operations.

However, it did provide a list of the countries where victims were located: Cyprus, Albania, Armenia, Egypt, Iraq, Jordan, Lebanon, Libya, Syria, Turkey, and the United Arab Emirates.

Cisco Talos said that the group could have been backed by a nation-state.

What is DNS hijacking?

According to Wired, DNS hijacking targets the Domain Name System, the pillar of internet architecture that translates the domain name you type into your browser, such as “google.com,” into the IP address that represents the actual computer where that service is hosted, such as “64.233.191.255.”

Corrupt that system, and hackers can redirect that domain to any IP address they choose.

How could have the hacking affected users?

“When you’re on your computer and visit your bank, you assume DNS servers will tell you the truth,” Cisco Talos researcher Craig Williams told Wired. “Unfortunately what we’re seeing is that, from a regional perspective, someone has broken that trust. You go to a website and it turns out you don’t have any guarantee of who you’re talking to.”

Once the Sea Turtle hackers gained full access to a DNS provider, their spying operations followed a predictable pattern, according to Cisco’s researchers.

The hackers would change the target organisation’s domain registration to point to their own DNS servers—the computers that perform the DNS translation of domains into IP addresses—instead of the victim’s legitimate ones. When users then attempted to reach the victim’s network, whether through web, email, or other internet communications, those malicious DNS servers would redirect the traffic to a different man-in-the-middle server that intercepted and spied on all the communications before passing them on to their intended destination.

The hackers would harvest usernames and passwords from the intercepted traffic. Using those stolen credentials and their hacking tools, the attackers could in some cases penetrate deeper into the target network.

To avoid detection, the hackers dismantled their set-up after no more than a couple of days—but only after they’d intercepted vast troves of the target organisation’s data, and the keys to enter its network at will.

Defending Against Sea Turtle

Cisco Talos has a few recommendations to help organisations minimize the risk of being a victim of a DNS hijacking attack.

  • Use a Registry Lock Service – With registry lock, changes can only be made after an additional message and request for authorization is made.
  • Secure Access with MFA – Domain access should be secured with more than just a username and a password. Multi-factor authentication (MFA) requires the use of a secondary password or token to gain access.

Williams commented that the use of DNSSEC, may help with this issue but the attackers have shown their ability to work around defensive strategies so it’s impossible to say for certain. DNSSEC (DNS security extensions) provide an additional degree of cryptographic assurance to domain name information.

“Patching, Defense in depth, and user education are key,” Williams said.

Read the full WIRED article here.

Top Stories

Health Minister’s advisor on controlled exit from lockdown

The lifting of the restrictive measures and the exit from the current lockdown have to be dynamic and it is up to each and...

President Biden warns COVID to get worse before it gets better

Fewer than half of the nearly 38 million vaccine doses shipped to date by the federal government have actually made it into the arms...

Access to Troodos controlled by Police

The Police announced that on the basis of the Health Ministry decrees aiming to contain the outbreak of the pandemic, tomorrow Sunday, access to...

129 new cases, four deaths announced on Saturday

The Health Ministry announced the death of four persons due to COVID-19. This raises the death toll from the virus in Cyprus to 183,...

Crowding at Troodos; lots of fines by police

Lots of traffic was today seen at Troodos. In order to maintain order but also to monitor that people respected the measures aiming to...

Taste

Squash soup

Ingredients: 1 kg pumpkin, cut into small cubes, approximately 5 cups 2 medium (400g) sweet potatoes, cut into cubes, approximately 2 ½ cups 1 chopped leek, only...

Mezedes

No visit to Cyprus is complete without enjoying the traditional meal of many small dishes known as ‘meze’. This large feast, which has been a...

Prawns with fried cheese, barley shaped pasta

Put the barley shaped pasta into a small pan with salted water, bring to a boil and when tender, drain. Peal the prawns leaving...

Salmon and shrimp sheftalies

Mix all ingredients for tabbouli in a bowl and keep to one side so flavours can combine. Prepare the sheftalies: wash and soak the casing...