News Local WIRED: Entire internet domain of Cyprus could have been hijacked in internet...

WIRED: Entire internet domain of Cyprus could have been hijacked in internet espionage campaign

Researchers at Cisco’s Talos security division on Wednesday revealed that a hacker group carried out a broad campaign of espionage via DNS hijacking, hitting 40 different, mainly governmental, organisations in countries of the Middle East and North Africa, including Cyprus.

The group, named “Sea Turtle” is believed to have compromised multiple country-code top-level domains—the suffixes like .gov.cy or .co.uk that end a foreign web address—putting all the traffic of every domain in multiple countries at risk.

The hackers’ victims include telecoms, internet service providers, and domain registrars responsible for implementing the domain name system.

But the majority of the victims and the ultimate targets, Cisco believes, were a collection of mostly governmental organisations, including ministries of foreign affairs, intelligence agencies, military targets, and energy-related groups, all based in the Middle East and North Africa.

Cisco Talos said it couldn’t determine the nationality of the Sea Turtle hackers, and declined to name the specific targets of their spying operations.

However, it did provide a list of the countries where victims were located: Cyprus, Albania, Armenia, Egypt, Iraq, Jordan, Lebanon, Libya, Syria, Turkey, and the United Arab Emirates.

Cisco Talos said that the group could have been backed by a nation-state.

What is DNS hijacking?

According to Wired, DNS hijacking targets the Domain Name System, the pillar of internet architecture that translates the domain name you type into your browser, such as “google.com,” into the IP address that represents the actual computer where that service is hosted, such as “64.233.191.255.”

Corrupt that system, and hackers can redirect that domain to any IP address they choose.

How could have the hacking affected users?

“When you’re on your computer and visit your bank, you assume DNS servers will tell you the truth,” Cisco Talos researcher Craig Williams told Wired. “Unfortunately what we’re seeing is that, from a regional perspective, someone has broken that trust. You go to a website and it turns out you don’t have any guarantee of who you’re talking to.”

Once the Sea Turtle hackers gained full access to a DNS provider, their spying operations followed a predictable pattern, according to Cisco’s researchers.

The hackers would change the target organisation’s domain registration to point to their own DNS servers—the computers that perform the DNS translation of domains into IP addresses—instead of the victim’s legitimate ones. When users then attempted to reach the victim’s network, whether through web, email, or other internet communications, those malicious DNS servers would redirect the traffic to a different man-in-the-middle server that intercepted and spied on all the communications before passing them on to their intended destination.

The hackers would harvest usernames and passwords from the intercepted traffic. Using those stolen credentials and their hacking tools, the attackers could in some cases penetrate deeper into the target network.

To avoid detection, the hackers dismantled their set-up after no more than a couple of days—but only after they’d intercepted vast troves of the target organisation’s data, and the keys to enter its network at will.

Defending Against Sea Turtle

Cisco Talos has a few recommendations to help organisations minimize the risk of being a victim of a DNS hijacking attack.

  • Use a Registry Lock Service – With registry lock, changes can only be made after an additional message and request for authorization is made.
  • Secure Access with MFA – Domain access should be secured with more than just a username and a password. Multi-factor authentication (MFA) requires the use of a secondary password or token to gain access.

Williams commented that the use of DNSSEC, may help with this issue but the attackers have shown their ability to work around defensive strategies so it’s impossible to say for certain. DNSSEC (DNS security extensions) provide an additional degree of cryptographic assurance to domain name information.

“Patching, Defense in depth, and user education are key,” Williams said.

Read the full WIRED article here.

Top Stories

Covid cases in Cyprus go over the 1000 mark-three today, one a Serbian football player

  Three coronavirus cases were reported in Cyprus today after 1699 tests and following two days of zeros. This means that the number goes up to...

Orange heat warning tomorrow, just one step from red alert-43+degrees

  The Met Office has issued an orange warning for tomorrow as temperatures are expected to reach or even surge beyond 43 degrees inland. One step...

Barcelona’s landmark Sagrada Familia reopens for key covid workers

  Barcelona’s Sagrada Familia basilica reopened today, giving frontline workers the chance to have the usually tourist-packed landmark to themselves in recognition of their efforts...

Apollon Serb football player positive to Covid following Belgrade return

  Serb football player Djordje Denic, currently playing for Limassol football club Apollon, tested positive to Covid-19, following his return from Belgrade. In a statement, the...

Catalonia curbs movement of 200,000 people after new coronavirus outbreak

  Spain’s north-eastern region of Catalonia enforced a new lockdown on more than 200,000 people, after several new outbreaks of the coronavirus were detected. Residents in...

Taste

Cyprus sprouts with cream and prosciutto

In a big, deep frying pan, fry the prosciutto in the olive oil, on medium heat for 2 minutes. Add the onion and garlic...

Pork burger with sundried tomatoes, mozzarella and anchovies

Mix all the ingredients together with the mince in a bowl, and combine well. Divide into 4 balls and form the burgers. Warm a griddle/pan...

Sheftalies

Wash the lamb cauls with plenty of cold water and let them settle in water and vinegar for a little while. Soak the bread crumbs...

Loukaniko Pitsilias – Pitsilia Sausage

Pitsilia sausage is produced in the Pitsilia region from pork minced meat that is “cooked” ( matured) in the dry red wine of the...