According to research from Cisco’s Talos security team, a state-sponsored DNS hijacking campaign is creating headaches in the Middle East and North Africa (MENA) regions. According to their blog post that summarizes their findings, the Talos team states that the so-called “Sea Turtle” DNS hijacking attacks have affected roughly 40 organizations in 13 countries across the MENA territorial boundaries. The campaign, which is thought due to its reach and complexity to be state-sponsored, started in 2017, according to Talos researchers.
The report/blog post had this to say about Sea Turtle’s primary targets:
The first group, we identify as primary victims, includes national security organizations, ministries of foreign affairs, and prominent energy organizations. The threat actor targeted third-party entities that provide services to these primary entities to obtain access. Targets that fall into the secondary victim category include numerous DNS registrars, telecommunication companies, and internet service providers. One of the most notable aspects of this campaign was how they were able to perform DNS hijacking of their primary victims by first targeting these third-party entities.
Furthermore the Talos researchers gave the following summary on what they believe the attackers’ motives are:
It is important to remember that the DNS hijacking is merely a means for the attackers to achieve their primary objective. Based on observed behaviors, we believe the actor ultimately intended to steal credentials to gain access to networks and systems of interest. To achieve their goals, the actors behind Sea Turtle:
- Established a means to control the DNS records of the target.
- Modified DNS records to point legitimate users of the target to actor-controlled servers.
- Captured legitimate user credentials when users interacted with these actor-controlled servers.
Talos gave numerous mitigation strategies, which are highly recommended to be read in detail via the report, including up-to-date patching, creating a registry lock service, and also implementing multifactor authentication for anyone with legitimate access to DNS records.
Featured image: Flickr / Ale Art