DNS interception campaign “Sea Turtle” undermines Internet confidence
For almost two years, more than 40 organizations in 13 countries have become victims of the campaign.
Specialists of the research team of Cisco Talos revealed details about a large-scale campaign dubbed "Sea Turtle", in which attackers use DNS interception to steal credentials. The operation has been going on for almost two years, during which time more than four dozen organizations in thirteen countries of the world have become its victims.
The complexity of the campaign indicates that the organizer is a group sponsored by the government, but experts have not yet been able to establish the specific involvement of any country. Campaign targets include intelligence agencies, military organizations, energy companies, telecommunications companies and Internet service providers located in the Middle East and North Africa.
Intercepting DNS allows attackers to obtain credentials and monitor the DNS records of target organizations, while victims are unaware that they are under attack. Using records, attackers can redirect traffic to supposedly legitimate sites, which are actually servers of criminals.
Experts point out that the current campaign differs from DNSpionage operation, revealed last year, including a more aggressive nature – the organizers of Sea Turtle used 16 servers in attacks, as well as a number of IP addresses previously mentioned in the reports on DNS interception. As noted, particular concern should inspire not the daring of cybercriminals, but the fact that they undermine the foundation on which trust in the Internet is based.
Remarkably, despite the resonance caused by the publication of information on various campaigns on DNS interception, the group «Sea Turtle» does not cease its activities. Such behavior is rather unusual for pro-government groups, which usually cease to be active when they are caught “on hot”.
Each attack begins with phishing or hacking in order to extract the credentials of the target organizations, the researchers explain. Next, attackers gain access to the DNS registry and carry out a man-in-the-middle attack to intercept the mail and web traffic of the victims. Attackers take various measures to conceal their activities, including using fake Let’s Encrypts, Comodo or Sectigo certificates.
One way to stop the proliferation of DNS infrastructure hacks can be a registry lock (a registry lock) —a series of additional authentication measures and notifying the owners when trying to change the domain settings. However, the researchers note, many registers still do not provide such a function; in such cases, users are encouraged to enable two-factor authentication.