Cyberspies Hijacked the Internet Domains of Entire Countries

Trailrunner7 shares a report: The discovery of a new, sophisticated team of hackers spying on dozens of government targets is never good news. But one team of cyberspies has pulled off that scale of espionage with a rare and troubling trick, exploiting a weak link in the internet's cybersecurity that experts have warned about for years: DNS hijacking, a technique that meddles with the fundamental address book of the internet. Researchers at Cisco's Talos security division on Wednesday revealed that a hacker group it's calling Sea Turtle carried out a broad campaign of espionage via DNS hijacking, hitting 40 different organizations.

In the process, they went so far as to compromise multiple country-code top-level domains -- the suffixes like .co.uk, or .ru, that end a foreign web address -- putting all the traffic of every domain in multiple countries at risk. The hackers' victims include telecoms, internet service providers, and domain registrars responsible for implementing the domain name system. But the majority of the victims and the ultimate targets, Cisco believes, were a collection of mostly governmental organizations including ministries of foreign affairs, intelligence agencies, military targets, and energy-related groups, all based in the Middle East and North Africa. By corrupting the internet's directory system, hackers were able to silently use "man-in-the-middle" attacks to intercept all internet data from email to web traffic sent to those victim organizations.

[...] Cisco Talos said it couldn't determine the nationality of the Sea Turtle hackers, and declined to name the specific targets of their spying operations. But it did provide a list of the countries where victims were located: Albania, Armenia, Cypress, Egypt, Iraq, Jordan, Lebanon, Libya, Syria, Turkey, and the United Arab Emirates. Cisco's Craig Williams confirmed that Armenia's .am top-level domain was one 'of the "handful" that were compromised, but wouldn't say which of the other countries' top-level domains were similarly hijacked.

Re:

[Anonymous Coward]

Around 2006 to 2009, there were a lot of interesting articles being published about advances made in the Quantum computer field.
It looked like SSL encryption would be obsolete in a couple of years.
I saved a bunch of those web pages.

Today -- its like its all been erased from the internet.
In its place is a lot of relatively lame crap that makes Quantum hacking look "impossible".

I never used to "out" myself as a conspiracy theorist -- but then Snowden came along.

Re: Hackers vs Old Regimes

[Type44Q]

Today -- its like its all been erased from the internet. In its place is a lot of relatively lame crap that makes Quantum hacking look "impossible".

Conclusion: the available of actual "quantum code-breaking tech" will not be televised.

Saudi Arabia

[andydread]

Notably missing from the list...interesting.

Re:

[LuniticusTheSane]

If the span of countries in that area of the globe spans from Armenia to Albania, then the countries that are missing from the list are Saudi Arabia, Israel, Greece, Qatar, and Bahrain.

Re:

[LuniticusTheSane]

That was supposed to read Armenia to Albania in the north, and UAE to Libya in the south.

*sigh*

[Gravis Zero]

If only there was a way to secured DNS lookups. /s -_-

Re:

[rtb61]

There is a way to 100% secure DNS (Domain Name Service) lookup, don't use it. If you want a more secure setup, type in the IP address, directly.

The traffic would have had a distinctive traceable pattern, the only way CISCO could not identifying the attackers was they were told to not identify the hackers. They could not ignore it like it didn't happen because that would make them look but, probably even involved.

Re:

[Swave An deBwoner]

So. "vi" or "emacs"?

Things that make you go Hmmmm

[3seas]

could it be your unaccounted for tax dollar (US) at work via NSA, CIA, Pentagon, etc...

Cypress?

[aglider]

Or rather Cyprus?

Hilarious

[JustAnotherOldGuy]

"In the process, they went so far as to compromise multiple country-code top-level domains -- the suffixes like .co.uk, or .ru"

Okay, I gotta admit- I find this hilarious but I'm disappointed that the hackers didn't have some real fun with this, like redirecting ALL the traffic for a country to a site full of cat pictures, a RickRoll site, or maybe to the internet's last page [hmpg.net].

espionage with a rare and troubling trick,

[grep -v '.*' *]

Wow! What nerve! What gall! What insight! So can like I use this as ... I meant THEY. Could THEY use this article to help perhaps get a raise and better equipment?

I mean the stuff we've got now is just ... the stuff THEY'RE using now is just pitiful. THEY. It's them. Way over there. Really.

Real Article Link - Cisco Talos Blog

[nullchar]

The Wired article is terrible - the author didn't understand the Talos blog.

https://blog.talosintelligence... [talosintelligence.com]

The Talso blog post is opaque: they present no evidence that root servers for top level domains, such as .AM were compromised. They say it was possible, but a registrar != a registry, nor does that mean they masqueraded as the tech contact listed at IANA. IANA would have the history of any changes.

Notably, the threat actors were able to gain access to registrars that manage ccTLDs for Amnic, which is listed as the technical contact on IANA for the ccTLD .am. Obtaining access to this ccTLD registrars would have allowed attackers to hijack any domain that used those ccTLDs.

Perhaps you can explore the history here:
https://tldmon.dns-oarc.net/na... [dns-oarc.net]