A new cyber threat campaign called “Sea Turtle” is targeting public and private entities, including energy organizations, located primarily in the Middle East and North Africa, researchers said.
The ongoing operation likely began as early as January 2017 and has continued through the first quarter of 2019, said researchers at Cisco Talos.
At least 40 different organizations across 13 different countries were compromised during this campaign. In addition, the attack, or attacks, are being carried out by an advanced, state-sponsored actor that seeks to obtain persistent access to sensitive networks and systems, said researchers Danny Adamitis, David Maynor, Warren Mercer, Matthew Olney and Paul Rascagneres in a post.
The actors behind this campaign focused on using DNS hijacking. DNS hijacking occurs when the attacker can illicitly modify DNS name records to point users to controlled servers.
The Department of Homeland Security (DHS) issued an alert Jan. 24, warning that an attacker could redirect user traffic and obtain valid encryption certificates for an organization’s domain names.
In the Sea Turtle campaign, Talos identified two distinct groups of victims. The first group, we identify as primary victims, includes national security organizations, ministries of foreign affairs, and prominent energy organizations. The attacker targeted third-party entities that provide services to these primary entities to obtain access.
Victims that fall into the secondary victim category include numerous DNS registrars, telecommunication companies, and Internet service providers, the researchers said. One of the most notable aspects of this campaign was how they were able to perform DNS hijacking of their primary victims by first targeting these third-party entities.
Sea Turtle poses a more severe threat than a previous attack called DNSpionage because the actor’s methodology in targeting various DNS registrars and registries. The level of access necessary to engage in DNS hijacking successfully indicates an ongoing, high degree of threat to organizations in the targeted regions, the researchers said.
Because of the effectiveness of this approach, Talos encourages all organizations, globally, to ensure they have taken steps to minimize the possibility of malicious actors duplicating this attack methodology.
The threat actors behind the Sea Turtle campaign show clear signs of being highly capable and brazen in their endeavors, the researchers said. The actors are responsible for the first publicly confirmed case against an organization that manages a root server zone, highlighting the attacker’s sophistication.
Notably, the attackers have continued their attacks despite public reports documenting various aspects of their activity, suggesting they are unusually brazen and may be difficult to deter going forward. In most cases, threat actors typically stop or slow down their activities once their campaigns are publicly revealed.
The first and most direct way to access an organization’s DNS records is through the registrar with the registrant’s credentials, the researchers said. These credentials are used to login to the DNS provider from the client-side, which is a registrar. If an attacker was able to compromise an organization’s network administrator credentials, the attacker would be able to change that particular organization’s DNS records at will.
The second way to access DNS records is through a DNS registrar, sometimes called registrar operators. A registrar sells domain names to the public and manages DNS records on behalf of the registrant through the domain registry. Records in the domain registry are accessed through the registry application using the Extensible Provisioning Protocol (EPP). EPP was detailed in the request for comment (RFC) 5730 as “a means of interaction between a registrar’s applications and registry applications,” the researchers said. If the attackers were able to obtain one of these EPP keys, they would be able to modify any DNS records managed by that particular registrar.
The third approach to gain access to DNS records is through one of the registries. These registries manage any known TLD, such as entire country code top-level domains (ccTLDs) and generic top-level domains (gTLDs), the researchers said. For example, Verisign manages all entities associated with the top-level domain (TLD) “.com.” All the different registry information then converges into one of 12 different organization that manage different parts of the domain registry root. The domain registry root is stored on 13 “named authorities in the delegation data for the root zone,” according to ICANN.
“Actors could target root zone servers to modify the records directly. It is important to note that there is no evidence during this campaign (or any other we are aware of) that the root zone servers were attacked or compromised,” the researchers said. “We highlight this as a potential avenue that attackers would consider. The root DNS servers issued a joint statement that stated, ‘There are no signs of lost integrity or compromise of the content of the root [server] zone…There are no signs of clients having received unexpected responses from root servers.’”
It is important to remember that the DNS hijacking is merely a means for attackers to achieve their primary objective, the researchers said. Based on observed behaviors, we believe the actor ultimately intended to steal credentials to gain access to networks and systems of interest. To achieve their goals, the actors behind Sea Turtle:
• Established a means to control the DNS records of the target.
• Modified DNS records to point legitimate users of the target to actor-controlled servers.
• Captured legitimate user credentials when users interacted with these actor-controlled servers.