Sea Turtle: attack on the entire Internet structure

(To Francesco Rugolo)
12/08/19

Among the numerous cyber attacks that are discovered, reported (but never publicly admitted), often carried to the detriment of large private or public companies, one in particular has aroused attention due to the methods used to carry it out: the so-called “Sea Turtle ”, discovered by the computer security team“ Talos Intelligence ”of the American multinational Cisco, one of the most important in its sector.

Talos talks about it Sea Turtle as the first ever documented attack that compromised DNS systems.

The attack targeted national security organizations, large energy companies and foreign affairs ministries located in North Africa and the Middle East but to succeed, other secondary targets were targeted, such as telcos and ISPs.

According to the Talos report, over 40 organizations in 13 countries were compromised between January of the 2017 and the first half of the 2019 but the true magnitude of the damages is still to be estimated as the attack is not yet completed ...

What makes this campaign of attack on DNS systems so scary in the eyes of Cisco experts?

To answer this question we must first define DNS.
DNS is the acronym for Domain Name System, the system that is used to resolve host names to IP addresses, ie to associate an IP (Internet Protocol) address with a user-friendly name. This is one of the most important DNS features we can see every day.

The methodology of the attack consists in tampering with the DNS services of the target to then redirect a user to a server controlled by the attacker, this leads following the acquisition of credentials and passwords of the users that are used to gain access to other information.

All this has been possible thanks to attack techniques that involve the use of both spear phishing that the use of exploit of various applications.
Sea Turtle he acted long and discreetly. Who brought this attack, says Talos, used a unique approach as DNS services are not constantly monitored.

As Talos tells us, there are three possible ways in which attackers could access the DNS services of the organizations affected:
1. By accessing the DNS registrar (company that provides domain names to companies and manages DNS records through the registry, ie a database containing all the domain names and the companies with which they are associated), through the acquisition of access credentials belonging to the DNS registrant (the organization affected);
2. Through the same registrar, entering the previously mentioned registry and tampering with the DNS records using theExtensible Provisioning Protocol (EPP), the protocol used to access the registry. By obtaining the EPP keys the attacker could have tampered with the DNS records of the targeted registrar at will;
3. The third method is based ondirect attack on DNS registries to access DNS records, the registries they are a vital part of the DNS service, as each Top Level Domain is based on them.

Sea Turtle has acted long and discreetly, who led this attack, says Talos, has used a unique approach as DNS services are not constantly monitored.

Talos wrote this report in April of this year, but this did not stop or slow the group's activity, so much so that in July Talos published an update.

Indeed, it seems that in the last few months another attack technique has been used. Each attacked entity pointed its DNS requests to a tampered server, different for each compromised user which makes the attack even more difficult to foil and track.

We can therefore say that anyone is behind Sea Turtle it is a group without scruples, probably driven by national interests and endowed with remarkable infrastructures.

The importance of DNS services is great. The entire structure of the Internet is based on their proper functioning, and together with it, the totality of the world economy and services provided by every society and government.

For this reason Talos says he is strongly opposed to the methodologies with which the campaign Sea Turtle (and the organization or state behind it) is putting this series of attacks into practice.

This campaign could represent the beginning of a series of attacks aimed at tampering with the DNS system in a more extensive and potentially disastrous way, leading to consequences that could affect each of us.

To learn more:

https://blog.talosintelligence.com/2019/04/seaturtle.html
https://blog.talosintelligence.com/2019/07/sea-turtle-keeps-on-swimming....
https://www.cisco.com
https://www.kaspersky.it/resource-center/definitions/spear-phishing