State-Sponsored Attack Is Manipulating DNS Systems of National Security Organizations


A team of security researchers on Wednesday issued a stern warning about a DNS Hijacking campaign being carried out by an advanced, state-sponsored actor believed to be targetting sensitive networks and systems. Although the incident is currently deemed to be limited to national security organizations in the Middle East and North Africa, Cisco’s Talos security team has warned the success of this operation can lead to broader attacks on the global DNS system.

— The attack named “Sea Turtle” is believed to have begun as early as January 2017 and has continued through the first quarter of 2019. “Our investigation revealed that at least 40 different organizations across 13 different countries were compromised during this campaign.”

— The actors behind this campaign have focused on using DNS hijacking as a mechanism for achieving their ultimate objectives. DNS hijacking occurs when the actor can illicitly modify DNS name records to point users to actor-controlled servers. The Department of Homeland Security (DHS) issued an alert about this activity on Jan. 24 2019, warning that an attacker could redirect user traffic and obtain valid encryption certificates for an organization’s domain names.”

 “The threat actors behind the Sea Turtle campaign show clear signs of being highly capable and brazen in their endeavors. The actors are responsible for the first publicly confirmed case of a DNS registry compromise, highlighting the attacker’s sophistication.”

— So far 40 different organizations are reported to have been targeted by the attack including Ministries of foreign affairs, Military organizations, Intelligence agencies, and Prominent energy organizations.

The report by the Talos security team includes a set of recommended mitigation strategies.