State-sponsored hackers have breached ICS-Forth, the organization that manages Greece’s top-level domain country codes of .gr and .el.
ICS-Forth, which stands for the Institute of Computer Science of the Foundation for Research and Technology, publicly admitted to the security incident in emails it sent ot domain owners on April 19.
Same Sea Turtle group
The hackers behind the breach are the same group detailed in a Cisco Talos report from April, which the company named Sea Turtle.
The group uses a relatively novel approach to hacking targets. Instead of targeting victims directly, they breach or gain access to accounts at domain registrars and managed DNS providers where they make modifications to a company’s DNS settings.
By modifying DNS records for internal servers, they redirect traffic meant for a company’s legitimate apps or webmail services to clone servers where they carry out man-in-the-middle attacks and intercept login credentials.
Attacks are short-lived, lasting from hours to days, and are incredibly hard to detect due to the fact that most companies don’t watch for changes made to DNS settings.
Reports on this hacker group’s activities have been published, in order, by FireEye, Crowdstrike, and Cisco Talos. FireEye attributed the attacks to a nexus of the Iranian government, while Crowdstrike and Cisco Talos refrained from making any attribution for the attacks just yet. The US DHS and UK NCSC agencies have also issued security alerts about the group’s novel tactics.
A brazen group that doesn’t shy away from big targets
From the linked reports above, for most of their attacks, the Sea Turtle group usually breaches accounts at domain registrars and managed DNS providers — accounts owned by their targets, which used them to manage DNS entries for various servers and services.
However, Sea Turtle didn’t shy away from hacking an entire service provider to get what it wanted — namely, to modify a target company’s server DNS settings.
In its first report, the Cisco Talos team said the Sea Turtle group hacked NetNod, an internet exchange node based in Sweden, which, among other things, also offered DNS services for ccTLD organizations — of the likes of ICS-Fourth.
“Using this access, the threat actors were able to manipulate the DNS records for sa1[.]dnsnode[.]net. This redirection allowed the attackers to harvest credentials of administrators who manage domains with the TLD of Saudi Arabia (.sa),” Cisco Talos researchers said at the time.
Attack on ICS-Forth still shrouded in mystery
Now, in a new report published today, Talos researchers said Sea Trutle hackers pulled off a similar hack, but this time against ICS-Forth.
Unfortunately, this time around, the Talos team doesn’t have any details of what the hackers did on ICS-Fourth’s network after they gained access to its systems. It is still a mystery for now what were the domain names for which hackers changed DNS settings, but Talos said hackers maintained access for another five days after ICS-Fourth publicly disclosed the incident.
However, the attack on ICS-Forth wasn’t the only new Sea Turtle operation. Since their last report on Sea Turtle, Talos said they also identified new victims, in countries such as Sudan, Switzerland, and the US.
These targets — whose DNS settings were modified so hackers could intercept user credentials — are government organizations, energy companies, think tanks, international non-governmental organizations, and at least one airport.
Cisco Talos also added that the group didn’t appear to have been impacted by having its operations exposed over the spring.
Researchers said Sea Turtle were busy doubling down on their attacks with new infrastructure.
“While many actors will slow down once they are discovered, this group appears to be unusually brazen, and will be unlikely to be deterred going forward,” Talos said.
Related government coverage: