News Local WIRED: Entire internet domain of Cyprus could have been hijacked in internet...

WIRED: Entire internet domain of Cyprus could have been hijacked in internet espionage campaign

Researchers at Cisco’s Talos security division on Wednesday revealed that a hacker group carried out a broad campaign of espionage via DNS hijacking, hitting 40 different, mainly governmental, organisations in countries of the Middle East and North Africa, including Cyprus.

The group, named “Sea Turtle” is believed to have compromised multiple country-code top-level domains—the suffixes like .gov.cy or .co.uk that end a foreign web address—putting all the traffic of every domain in multiple countries at risk.

The hackers’ victims include telecoms, internet service providers, and domain registrars responsible for implementing the domain name system.

But the majority of the victims and the ultimate targets, Cisco believes, were a collection of mostly governmental organisations, including ministries of foreign affairs, intelligence agencies, military targets, and energy-related groups, all based in the Middle East and North Africa.

Cisco Talos said it couldn’t determine the nationality of the Sea Turtle hackers, and declined to name the specific targets of their spying operations.

However, it did provide a list of the countries where victims were located: Cyprus, Albania, Armenia, Egypt, Iraq, Jordan, Lebanon, Libya, Syria, Turkey, and the United Arab Emirates.

Cisco Talos said that the group could have been backed by a nation-state.

What is DNS hijacking?

According to Wired, DNS hijacking targets the Domain Name System, the pillar of internet architecture that translates the domain name you type into your browser, such as “google.com,” into the IP address that represents the actual computer where that service is hosted, such as “64.233.191.255.”

Corrupt that system, and hackers can redirect that domain to any IP address they choose.

How could have the hacking affected users?

“When you’re on your computer and visit your bank, you assume DNS servers will tell you the truth,” Cisco Talos researcher Craig Williams told Wired. “Unfortunately what we’re seeing is that, from a regional perspective, someone has broken that trust. You go to a website and it turns out you don’t have any guarantee of who you’re talking to.”

Once the Sea Turtle hackers gained full access to a DNS provider, their spying operations followed a predictable pattern, according to Cisco’s researchers.

The hackers would change the target organisation’s domain registration to point to their own DNS servers—the computers that perform the DNS translation of domains into IP addresses—instead of the victim’s legitimate ones. When users then attempted to reach the victim’s network, whether through web, email, or other internet communications, those malicious DNS servers would redirect the traffic to a different man-in-the-middle server that intercepted and spied on all the communications before passing them on to their intended destination.

The hackers would harvest usernames and passwords from the intercepted traffic. Using those stolen credentials and their hacking tools, the attackers could in some cases penetrate deeper into the target network.

To avoid detection, the hackers dismantled their set-up after no more than a couple of days—but only after they’d intercepted vast troves of the target organisation’s data, and the keys to enter its network at will.

Defending Against Sea Turtle

Cisco Talos has a few recommendations to help organisations minimize the risk of being a victim of a DNS hijacking attack.

  • Use a Registry Lock Service – With registry lock, changes can only be made after an additional message and request for authorization is made.
  • Secure Access with MFA – Domain access should be secured with more than just a username and a password. Multi-factor authentication (MFA) requires the use of a secondary password or token to gain access.

Williams commented that the use of DNSSEC, may help with this issue but the attackers have shown their ability to work around defensive strategies so it’s impossible to say for certain. DNSSEC (DNS security extensions) provide an additional degree of cryptographic assurance to domain name information.

“Patching, Defense in depth, and user education are key,” Williams said.

Read the full WIRED article here.

Top Stories

How European Banking Supervision can help fight economic impact of coronavirus outbreak in Europe

By Andrea Enria, Chair of the Supervisory Board of the ECB These are dramatic days for Europe and its citizens. The coronavirus outbreak has severely...

U.S. could face 200,000 coronavirus deaths, Fauci warns

U.S. deaths from coronavirus could reach 200,000 with millions of cases, the government's top infectious diseases expert warned on Sunday as New York, New...

Limassol: 45 booked in 12 hours for breaking decree

  Limassol police officers on Sunday booked another 45 people for breaking the stay at home decree as police spokesman Ioannis Soteriades told CNA that...

Two more test positive in Turkish-held north

Two more have tested positive in Turkish-held north Cyprus, bringing the total to 64, the Cyprus News Agency reports. It said that three of the...

Minister rebukes irresponsible behaviour

Health Minister Constantinos Ioannou on Sunday expressed concern over the large increase in the number of confirmed Covid-19 cases saying tracing had shown that...

Taste

Village salad

A must-have with every meal is a village salad. You will find it in every tavern or greek restaurant you visit in Cyprus. Make...

Courgettes with eggs

Heat the oil in a frying pan and fry the courgettes at a medium heat until they soften. Add salt and add the eggs....

Classic Pastitsio

Prepare the mince sauce: heat the butter in a pan and sauté the mince with the onion and garlic until nicely browned, mixing well....

Grilled vegetable and goat cheese rolls

Brush the vegetables with olive oil and season. Heat a pan/griddle and cook them carefully until golden on both sides, making sure their shape...