10 July 2019

Operation Sea Turtle compromises Greece domain admin, keeps looking for new victims

Operation Sea Turtle compromises Greece domain admin, keeps looking for new victims

State-sponsored hackers compromised ICS-Forth (Institute of Computer Science of the Foundation for Research and Technology), the organisation that manages the top-level domains for Greece — .gr and .el — in April this year. The perpetrators behind the hack is the same group that previously compromised at least 40 different organizations across 13 different countries during the campaign dubbed Sea Turtle by security researchers.

In April 2019 Cisco Talos team has published an extensive report describing the campaign, but despite the exposure of their activities it appears that the hackers did not cease the operation. New evidence suggests that the threat actor has switched to a new infrastructure and is using another DNS hijacking technique.

Sea Turtle group uses an interesting approach to hacking targets. Instead of targeting victims directly, they compromise accounts at domain registrars and managed DNS providers and change a company's DNS settings redirecting traffic meant for an organization’s legitimate apps or webmail services to servers under their control where they can carry man-in-the-middle attacks and capture login credentials. Usually attacks last only a few hours or days and and are hard to detect due to the fact that most companies don’t monitor for modifications made to DNS settings.

According to a new Cisco Talos’ report, the Sea Turtle group used the similar approach in attack against ICS-Forth network. The researchers did not reveal much details of the attack aside from that that the hackers maintained access to the network for another five days after ICS-Forth publicly disclosed the incident on April 19. At the moment it’s unclear what the attackers did on the network once they gained an access to ICS-Forth’s systems and what were the domain names for which hackers changed DNS settings.

“Cisco telemetry confirmed that the actors behind Sea Turtle maintained access to the ICS-Forth network from an operational command and control (C2) node. Our telemetry indicates that the actors maintained access in the ICS-Forth network through at least April 24, five days after the statement was publicly released. Upon analysis of this operational C2 node, we determined that it was also used to access an organization in Syria that was previously redirected using the actor-controlled name server ns1[.]intersecdns[.]com. This indicates that the same threat actors were behind both operations,” said the researchers.

As for the new DNS hijacking technique that the group was leveraging in the recent attacks, Cisco Talos said that it is similar to the previously used methods in that the threat actors compromise the name server records and respond to DNS requests with falsified A records. The experts also pointed out that this technique is rarely used and has only been observed in a few highly targeted operations. Additionally, Talos said they identified new victims located in countries such as Sudan, Switzerland, and the US. The list of targets includes government organizations, energy companies, think tanks, international non-governmental organizations, and at least one airport.

Back to the list

Latest Posts

“Agent Smith” malware infected more than 25 million Android devices

“Agent Smith” malware infected more than 25 million Android devices

The malware leverages known Android exploits and automatically replaces installed apps with malicious clones without users’ knowledge or interaction.
15 July 2019
Magecart hackers copromised more than 17K sites via misconfigured Amazon S3 buckets

Magecart hackers copromised more than 17K sites via misconfigured Amazon S3 buckets

Since the beginning of the campaign in April 2019 the group has continuously been scanning the Internet for insecure Amazon S3 buckets.
12 July 2019
Recently patched Windows zero-day exploited in Buhtrap cyber-espionage campaign

Recently patched Windows zero-day exploited in Buhtrap cyber-espionage campaign

The exploit for CVE-2019-1132 created by the Buhtrap group relies on popup menu objects.
11 July 2019
Featured vulnerabilities
Denial of service in MatrixSSL
Medium Patched | 15 Jul, 2019
Denial of service in Apple iMessage
Medium Patched | 15 Jul, 2019
Multiple vulnerabilities in Redis
Medium Patched | 11 Jul, 2019
Reverse Tabnabbing in Quill
Low Not Patched | 11 Jul, 2019
Remote code injection in domokeeper
High Not Patched | 11 Jul, 2019