A new cyber threat campaign called Sea Turtle is manipulating the DNS systems to target public and private entities, including national security organizations, in the Middle East and North Africa.
As per the researchers at Cisco Talos, it is very likely that the cyber threat started in January 2017 and has continued through the first quarter of 2019.
“Our investigation revealed that at least 40 different organizations across 13 different countries were compromised during this campaign. We assess with high confidence that this activity is being carried out by an advanced, state-sponsored actor that seeks to obtain persistent access to sensitive networks and systems,” according to the researchers.
The attackers carried out the attack through DNS hijacking, which means that they modified the DNS name records for directing the users to servers that were controlled by them.
In January this year, the Department of Homeland Security (DHS) had warned about this campaign that cybercriminals were able to redirect user traffic and gain access to valid encryption certificates used by organizations for domain names.
Cisco Talos identified two groups of victims of the Sea Turtle cyberattack.
The first group of victims included national security organizations, ministries of foreign affairs, and leading energy organizations. The cybercriminals targeted the third-party entities that provide services to these organizations in order to gain access. These were the primary victims.
The second group of victims included DNS registrars, telecom companies, and internet service providers.
One of the most notice-worthy facts about the Sea Turtle cyberattack is that the attackers manipulated the primary victims by first attacking the third-party organizations.
“The threat actors behind the Sea Turtle campaign show clear signs of being highly capable and brazen in their endeavours. The actors are responsible for the first publicly confirmed case of a DNS registry compromise, highlighting the attacker’s sophistication. Notably, the threat actors have continued their attacks despite public reports documenting various aspects of their activity, suggesting they are unusually brazen and may be difficult to deter going forward,” mentioned Cisco Talos in the report.
“In most cases, threat actors typically stop or slow down their activities once their campaigns are publicly revealed.”
Also read: Flaw in YellowPencil plugin leaves over 30K WordPress sites open to hacking
While this cyberattack is limited mostly to national security organizations in the Middle East and North Africa, but the success of this operation can result in attacks on the global DNS system. And the DNS is the foundation of the internet. The hijacking of the internet’s foundation can demoralize and break the trust of its users. These users are the key drivers of the global economy.