A highly capable and resourceful attack team has been targeting national security organizations, telecommunications providers, ISPs, and energy companies in the Middle East and Africa via a DNS-hijacking campaign that stretches back to at least January 2017. The group uses a variety of techniques to manipulate the DNS system and is responsible for the only known DNS registry compromise, as well as a number of other successful intrusions.
The attackers behind this campaign, known as Sea Turtle. have compromised more than 40 separate organizations over the course of the last two years and have shown the ability to use several different tactics to accomplish their goals, including exploiting known vulnerabilities in web applications, routers and switches, stealing SSL certificates to set up man-in-the-middle servers, and spoofing VPN apps to steal credentials. Researchers from the Cisco Talos Intelligence Group have been tracking the attackers and said in a new report the group is distinct from the team behind previous DNS-hijacking operations such as DNSpionage and likely has backing from a nation state.
“In the Sea Turtle campaign, Talos was able to identify two distinct groups of victims. The first group, we identify as primary victims, includes national security organizations, ministries of foreign affairs, and prominent energy organizations. The threat actor targeted third-party entities that provide services to these primary entities to obtain access. Targets that fall into the secondary victim category include numerous DNS registrars, telecommunication companies, and internet service providers. One of the most notable aspects of this campaign was how they were able to perform DNS hijacking of their primary victims by first targeting these third-party entities,” the Talos report says.
“The threat actors behind the Sea Turtle campaign show clear signs of being highly capable and brazen in their endeavors. The actors are responsible for the first publicly confirmed case of a DNS registry compromise, highlighting the attacker’s sophistication. Notably, the threat actors have continued their attacks despite public reports documenting various aspects of their activity, suggesting they are unusually brazen and may be difficult to deter going forward. In most cases, threat actors typically stop or slow down their activities once their campaigns are publicly revealed.”
Among the primary targets in the Sea Turtle campaign are intelligence agencies, energy organizations, and military organizations, almost all located in the Middle East and North Africa. The attackers were able to compromise registrars that manage the country code TLD for Armenia, which would have allowed them to hijack any domain in that ccTLD. They also were responsible for the compromise of NetNod, a DNS registry in Sweden, which occurred in December 2018 and January 2019.
“The incident as it affected Netnod occurred in several short windows during the period 14 December 2018 - 2 January 2019. Within this period, Netnod suffered from three different attacks. Two of these involved changes in DNS which affected a small number of customers,” NetNod sad in a statement on the attack earlier this year.
“The third attack, between 29 December and 2 January, involved some traffic to our DNSNODE web portal and API being redirected to a proxy outside our control.”
DNS hijacking campaigns occur on a regular basis, but often on a smaller scale than this and they usually don’t last nearly as long as the Sea Turtle attacks. The goal of a DNS hijacking operation is to modify the DNS records in order to redirect traffic meant for a legitimate server to one controlled by an attacker. There are a few different ways that attackers can do this, ranging from simple to complex. The most direct route is to gain access to a victim organization’s credentials for its DNS registrar and then modify the DNS records. But an attacker also could go through an ISP or hosting company that manages DNS records for the victim organization or attack one of the registries that manage top-level domains. Those are more difficult to pull off, though.
"This cyber threat campaign represents the first known case of a domain name registry organization that was compromised for cyber espionage operations."
The Sea Turtle attackers typically gained initial access to a target organization through a spear phishing attack or by exploiting a vulnerability in the organization’s infrastructure. In various cases, the attackers exploited bugs in the phpMyAdmin console, Cisco switches and routers, and the Apache web server. Once inside a new network, the attackers would move laterally and look for a method to capture the credentials needed to get to the organization’s DNS registry. With that done, the group would then update the DNS records to point requests to a name server controlled by the attackers. In some cases, the attackers would then set up a MITM framework on the server to look like legitimate apps used by the organization in an effort to steal users’ credentials. The Sea Turtle group uses legitimate certificates for the domains it’s impersonating, and once it grabs the victims’ credentials, moves them on to the actual service they were trying to reach. In other cases, the attackers stole the legitimate SSL certificates from compromised organizations, but typically only used those certificates for a day or so in order to avoid detection.
“One notable aspect of the campaign was the actors’ ability to impersonate VPN applications, such as Cisco Adaptive Security Appliance (ASA) products, to perform MitM attacks. At this time, we do not believe that the attackers found a new ASA exploit. Rather, they likely abused the trust relationship associated with the ASA’s SSL certificate to harvest VPN credentials to gain remote access to the victim’s network. This capability would allow the threat actors to harvest additional VPN credentials,” the Talos report says.
“As an example, DNS records indicate that a targeted domain resolved to an actor-controlled MitM server. The following day, Talos identified an SSL certificate with the subject common name of “ASA Temporary Self Signed Certificate” associated with the aforementioned IP address. This certificate was observed on both the actor-controlled IP address and on an IP address correlated with the victim organization.”
The last couple of years have seen a handful of other successful, large DNS-hijacking campaigns, including the DNSpionage operation. That campaign targeted government agencies and private organizations in the Middle East and used DNS redirection as part of a larger operation. The Talos researchers believe the Sea Turtle campaigns are separate from the DNSpionage operation and said the newly identified team looks to be at the top of its game.
“The threat actors behind the Sea Turtle campaign have proven to be highly capable, as they have been able to perform operations for over two years and have been undeterred by public reports documenting various aspects of their activity. This cyber threat campaign represents the first known case of a domain name registry organization that was compromised for cyber espionage operations,” the report says.