State-sponsored domain hacking continues
A recent report by Cisco's Talos security group highlighted a state-sponsored domain hacking scheme targeting the domain of a consulting firm in Sweden, Cafax. The firm has one consultant, named Lars-Johan Liman, who is also a senior systems specialist at the Swedish DNS provider Netnod, ArsTechnica reports. The report declines to name the government they allege is behind the attack and has named the attack Sea Turtle.
You may have never heard of Netnod, you've definitely utilized their services. They operate i.root, which is one of the 13 foundational DNS root servers - and Liman is responsible for it. It's likely that this domain hack was done in order to regain access to the i.root servers, following similar hacks in December and January.
While the report found that it was unlikely that Cafax was actually compromised, it also used reverse DNS records and discovered that the domain nsd.cafax.com was redirected to a malicious IP in late March.
"DNS" stands for "domain name system" and DNS servers translate the human name for a site to the computer name for the site.
Domain names are the addresses you type in when you want to access a website. So, for example, if you want to go to Twitter you type in twitter.com or www.twitter.com or https://www.twitter.com. Those are all domain names for Twitter.
However, computers don't "speak" English - or Spanish or Mandarin or Swahili. Instead, they "talk" in numbers. Instead of domain names, the internet and other networks use internet protocol (or "IP") addresses that are written out in numbers.
When you type an address (like twitter.com) into your device, it reaches out to the DNS server to find out what number (IP address) is associated with that domain name. It then connects to that IP address and brings you to twitter.com.
Your computer will the save ("cache") the IP address so that next time, it doesn't have to reach out to the DNS server and can just access Twitter directly. However, after a while - or if you clear your cache for some reason - your computer is going to clear that IP address, which means it has to reach out again.
DNS hacking is when a cyber criminal - or, in this case, a foreign government - gains access to a DNS server and creates fake sites that appear to the end user to be the site they're trying to access. These disguised domains are then utilized to collect information from the user, like login credentials or credit card info, for example.
In this case, the criminals targeted national security organizations, ministries of foreign affairs, and prominent energy organizations, largely in the Middle East and Africa. Cisco says that 40 organizations in 13 countries have had their domains hacked since January 2017.
Despite the fact that the attacks have been exposed, they show no sign of slowing down. Talos researchers Danny Adamitis, David Maynor, Warren Mercer, Matthew Olney, and Paul Rascagneres warned that this type of state-sponsored attack may have wider implications beyond just those who are immediately affected:
"While this incident is limited to targeting primarily national security organizations in the Middle East and North Africa, and we do not want to overstate the consequences of this specific campaign, we are concerned that the success of this operation will lead to actors more broadly attacking the global DNS system. DNS is a foundational technology supporting the Internet. Manipulating that system has the potential to undermine the trust users have in the Internet. That trust, and the stability of the DNS system as a whole, drives the global economy. Responsible nations should avoid targeting this system, work together to establish an accepted global norm that this system and the organizations that control it are off-limits, and cooperate in pursuing those actors who act irresponsibly by targeting this system."
Install Tenta Browser Free!
Start protecting your online privacy today with Tenta Browser.