Cisco Talos: The ongoing Sea Turtle campaign is harvesting credentials in Middle East and North Africa. An advanced state-sponsored actor compromised at least 40 different organizations across 13 different countries with DNS hijacking

The malicious Sea Turtle cyber campaign is targeting public and private entities located primarily in the Middle East and North Africa. It has been discovered by Cisco Talos cyber security experts. The operation, aimed to credential harvesting, likely began as January 2017 and continued through the first quarter of 2019. At least 40 organizations across 13 different countries were compromised during the cyber attacks. According to the company’s blog, this activity is being carried out by an advanced state-sponsored actor, that seeks to obtain persistent access to sensitive networks and systems. The actors behind this campaign have focused on using DNS hijacking as a mechanism for achieving their ultimate objectives.  The Department of Homeland Security (DHS) issued an alert about this activity on Jan. 24 2019, warning that an attacker could redirect user traffic and obtain valid encryption certificates for an organization’s domain names.

The cyber security experts: In the campaign there are two distinct groups of victims. The first ncludes national security organizations, ministries of foreign affairs, and prominent energy organizations. The second, DNS registrars, TLC companies, and ISPs

In Sea Turtle Cisco Talos identified two distinct groups of victims. The first group, the primary victims, includes national security organizations, ministries of foreign affairs, and prominent energy organizations. The threat actor targeted third-party entities that provide services to these primary entities to obtain access. The secondary victims include many DNS registrars, telecommunication companies, and ISPs. One of the most notable aspects of this campaign was how the malicious hackers were able to perform DNS hijacking of their primary victims by first targeting the third-party entities. Moreover, these operations are different and independent from the operations performed by DNSpionage, which the cyber security experts reported on in November 2018. This campaign poses a more severe threat than DNSpionage given the actor’s methodology in targeting DNS registrars and registries. The level of access necessary to engage in DNS hijacking indicates an ongoing, high degree of threat in targeted regions. 

The DNS hijacking is the Sea Turtle infection vector

The Sea Turtle malicious hackers use globalized DNS hijacking activity as an infection vector. According to the cyber security experts, during a typical incident, the actor would modify the NS records for the targeted organization, pointing users to a malicious DNS server that provided actor-controlled responses to all DNS queries. The amount of time that the targeted DNS record was hijacked can range from a couple of minutes to a couple of days. Once the actor-controlled name server was queried for the targeted domain, it would respond with a falsified “A” record that would provide the IP address of the actor-controlled MitM node instead of the IP address of the legitimate service. In some instances, the threat actors modified the time-to-live (TTL) value to one second. This was likely done to minimize risks of any records remaining in the DNS cache of the victim machine.

The malicious hackers use MitM (man-in-the-middle) servers to harvest credentials

Cisco Talos revealed that the next step for the threat actor was to build MitM (man-in-the-middle) servers that impersonated legitimate services to capture user credentials. Once these credentials were captured, the user would then be passed to the legitimate service. To evade detection, the actors performed “certificate impersonation,” a technique in which the attacker obtained a certificate authority-signed X.509 certificate from another provider for the same domain imitating the one already used by the targeted organization. This tactic would make detecting the MitM attack more difficult, as a user’s web browser would still display the expected “SSL padlock” in the URL bar. When the victim entered their password into the attacker’s spoofed webpage, the actor would capture these credentials for future use.

Then, the threat actors steal the victim’s SSL certificate, in order to perform additional MitM to harvest additional credentials

Once the threat actors appeared to have access to the network, they stole the organization’s SSL certificate. The attackers would then use it on actor-controlled servers to perform additional MitM operations to harvest additional credentials. This allowed the malicious hackers to expand their access into the targeted organization’s network. The stolen certificates were typically only used for less than one day, likely as an operational security measure. Using for an extended period would increase the likelihood of detection. In some cases, the victims were redirected to these actor-controlled servers displaying the stolen certificate.

Cisco Talos: The unique traits of the Sea Turtle campaign

The threat actors behind the Sea Turtle campaign have proven to be highly capable, as they have been able to perform operations for over two years and have been undeterred by public reports documenting various aspects of their activity. This DNS-based cyber attacks campaign represents the first known case of a domain name registry organization that was compromised for cyber espionage operations. In order to distinguish this activity from the previous reporting on other attackers, such as those affiliated with DNSpionage, below is a list of traits that are unique to the threat actors behind the Sea Turtle campaign: 

1. These actors perform DNS hijacking through the use of actor-controlled name servers. These actors have been more aggressive in their pursuit targeting DNS registries and a number of registrars, including those that manage ccTLDs.
2. These actors use Let’s Encrypts, Comodo, Sectigo, and self-signed certificates in their MitM servers to gain the initial round of credentials.
3. Once they have access to the network, they steal the organization’s legitimate SSL certificate and use it on actor-controlled servers.

The cyber security experts: Threat actor continues launching cyber attacks, despite has been partially exposed

According to the cyber security experts, the Sea Turtle campaign actors show clear signs of being highly capable and brazen in their endeavors. The malicious hackers are responsible for the first publicly confirmed case of a DNS registry compromise, highlighting their sophistication. Notably, they have continued their cyber attacks, despite public reports documenting various aspects of their activity, suggesting they are unusually brazen and may be difficult to deter going forward. In most cases, threat actors typically stop or slow down their activities once their campaigns are publicly revealed.

Photo Credits: Cisco Talos