The hacker claiming responsibility for the attack on a Dutch company that issues security certificates for websites warned he would “strike back again.”
The hacker posted the warning on Pastebin under the handle “Comodohacker.” The same account used earlier this year to describe the attack on Comodo, which sells SSL (Secure Socket Layer) certificates, a crucial Internet security component used to secure encrypted communication between a computer and a website.
Comodohacker said on Pastebin he breached DigiNotar, an issuer of SSL certificates, in order to punish the Dutch government for the actions of its soldiers in Srebrenica, where 8,000 Muslims died by Serbian forces in 1995 during the Bosnian War.
DigiNotar issued over 500 fraudulent SSL certificates after the hacker breached its systems. A report released by DigiNotar’s auditor, Fox-IT, found more than 300,000 unique IP addresses may have accessed Google account information under the fraudulent certificate, potentially meaning an attacker could intercept the data exchanged with Google.
Most of those IP addresses were in Iran, which has raised questions about the connection between Comodohacker and perhaps the Iranian government, which closely monitors the Internet for anti-government dissent.
“That’s the mystery” said Mikko Hypponen, chief research officer for the security vendor F-Secure. “How do we go from these rogue certificates to widescale interception of Iranian citizens?”
Hypponen said it is likely the person claiming to be Comodohacker the DigiNotar and Comodo hacks as claimed on Pastebin. The style of broken English is the same, and Comodohacker also apparently created certificates using Persian phrases used during the Comodo hack, Hypponen said.
Comodohacker also wrote in his Pastebin note he has gained access to four more “certificate authorities,” which are entities or companies like DigiNotar and Comodo that issue SSL certificates. He claimed to have access to GlobalSign, a widely used certificate authority.
Steve Roylance, GlobalSign’s business development director, said the company has started an investigation.
“There’s no concrete evidence of anything that has happened so far,” Roylance said. “We are taking this very seriously at the moment.”
Comodohacker also wrote on Monday that he had in the past hacked StartCom, another certificate authority, but indicated the attack didn’t work.
StartCom’s chief operating officer and CTO, Eddy Nigg, said on Tuesday that his company detected the attack in June but was able to block it before Comodohacker could issue any fraudulent certificates.