GlobalSign expects to resume its certificate-issuing systems today, after closing down over the weekend to audit its security after learning it was a target of the hacker who claimed to have attacked Dutch CA DigiNotar.
The server hosting GlobalSign’s website suffered a breach, company officials said Friday. The hacked server was isolated from other infrastructure related to certificates, the company said.
On Sunday the company said it would bring system components back online Monday in a sequenced startup, but said customers were unlikely to be able to process orders until Tuesday morning.
It said there was no further evidence of breach other than the isolated web server. But it continued to monitor all activity to all services closely as an additional precaution, it said.
The company is sharing all forensics with the authorities and other CAs to assist with their own investigations into related attacks, GlobalSign said. It did not specify who the attacker was.
The company hired security firm Fox-IT to investigate.
Fox-IT already has experience of this kind of investigation: DigiNotar hired it to discover how the attacker hacked into its servers. Hackers were able to use DigiNotar’s servers to issue hundreds of fake SSL certificates, including one for the domain google.com.
The attack on DigiNotar came to light when an Iranian Gmail user noticed something amiss with the webmail service, and then tracing the problem back they ended up finding the fake certificate.
Close to 300,000 unique IP addresses from Iran requested access to google.com between Aug. 4 and Aug. 29, while the rogue certificate was in use, according to Fox-IT’s interim report for DigiNotar.
A hacker claimed in a message on Pastebin he had broken into DigiNotar, and also had access to four other CAs including GlobalSign. Some know the hacker as Ich Sun, or Comodohacker — a reference to the person’s claims earlier this year to have broken into the servers of another certificate issuer, Comodo.