Security Market Segment LS
Thursday, 18 April 2019 08:35

State-sponsored actor targets Mideast, North Africa using DNS hijacking

State-sponsored actor targets Mideast, North Africa using DNS hijacking Image by Андрей Корман from Pixabay

A new cyber threat campaign that is claimed to be targeting public and private entities, including national security organisations in the Middle East and North Africa, has been discovered by Cisco's Talos Intelligence Group.

Researchers Danny Adamitis, David Maynor, Warren Mercer, Matthew Olney and Paul Rascagneres said in a detailed blog post that the campaign, which they had christened Sea Turtle, had kicked off probably in January 2017 and was continuing.

They said, by their count, a total of 40 organisations in 13 countries had been compromised by what they claimed was an advanced state-sponsored actor that appeared to be looking to gain persistent access to sensitive networks and systems.

"The actors behind this campaign have focused on using DNS hijacking as a mechanism for achieving their ultimate objectives," the five researchers said. "DNS hijacking occurs when the actor can illicitly modify DNS name records to point users to actor-controlled servers."

They said the US Department of Homeland Security had issued an alert on 24 January 2019, warning that an attacker could redirect user traffic and obtain valid encryption certificates for an organisation's domain names.

Among those who had been compromised, the Talos researchers said they had been able to identify two separate groups. One, the primary victims, included national security bodies, ministries of foreign affairs and energy organisations. These had been targeted through third-parties.

sea turtle

The secondary category of victims included a number of DNS registrars, telecommunications companies and Internet service providers.

Adamitis, Maynor, Mercer, Olney and Rascagneres wrote that the attackers behind Sea Turtle appeared to be extremely competent and brazen in the way they went about things.

"The actors are responsible for the first publicly confirmed case of a DNS registry compromise, highlighting the attacker's sophistication," they said.

"Notably, the threat actors have continued their attacks despite public reports documenting various aspects of their activity, suggesting they are unusually brazen and may be difficult to deter going forward. In most cases, threat actors typically stop or slow down their activities once their campaigns are publicly revealed."

The following exploits had been used by Sea Turtle:

CVE-2009-1151: PHP code injection vulnerability affecting phpMyAdmin;

CVE-2014-6271: RCE affecting GNU bash system, specifically the SMTP (this was part of the Shellshock CVEs);

CVE-2017-3881: RCE by unauthenticated user with elevated privileges Cisco switches;

CVE-2017-6736: Remote Code Exploit (RCE) for Cisco integrated Service Router 2811;

CVE-2017-12617: RCE affecting Apache web servers running Tomcat;

CVE-2018-0296: Directory traversal allowing unauthorised access to Cisco Adaptive Security Appliances (ASAs) and firewalls; and

CVE-2018-7600: RCE for Website built with Drupal, aka "Drupalgeddon".

The five researchers said they believed the campaign had been so successful for a number of reasons.

"First, the actors employ a unique approach to gain access to the targeted networks. Most traditional security products such as IDS and IPS systems are not designed to monitor and log DNS requests. The threat actors were able to achieve this level of success because the DNS domain space system added security into the equation as an afterthought. Had more ccTLDs implemented security features such as registrar locks, attackers would be unable to redirect the targeted domains," they said.

"The threat actors also used an interesting technique called certificate impersonation. This technique was successful in part because the SSL certificates were created to provide confidentiality, not integrity. The attackers stole organisations' SSL certificates associated with security appliances such as ASA to obtain VPN credentials, allowing the actors to gain access to the targeted network."

They said the threat actors were able to maintain long-term persistent access to many of these networks by using compromised credentials.


You cannot afford to miss this Dell Webinar.

With Windows 7 support ending 14th January 2020, its time to start looking at your options.

This can have significant impacts on your organisation but also presents organisations with an opportunity to fundamentally rethink the way users work.

The Details

When: Thursday, September 26, 2019
Presenter: Dell Technologies
Location: Your Computer


QLD, VIC, NSW, ACT & TAS: 11:00 am
SA, NT: 10:30 am
WA: 9:00 am NZ: 1:00 pm

Register and find out all the details you need to know below.



iTWire can help you promote your company, services, and products.


Advertise on the iTWire News Site / Website

Advertise in the iTWire UPDATE / Newsletter

Promote your message via iTWire Sponsored Content/News

Guest Opinion for Home Page exposure

Contact Andrew on 0412 390 000 or email [email protected]


Sam Varghese

website statistics

Sam Varghese has been writing for iTWire since 2006, a year after the site came into existence. For nearly a decade thereafter, he wrote mostly about free and open source software, based on his own use of this genre of software. Since May 2016, he has been writing across many areas of technology. He has been a journalist for nearly 40 years in India (Indian Express and Deccan Herald), the UAE (Khaleej Times) and Australia (Daily Commercial News (now defunct) and The Age). His personal blog is titled Irregular Expression.



Recent Comments