'Sea Turtle' DNS Hijackers Expand ReachCisco Talos Calls Group 'Unusually Brazen'
The group behind the Sea Turtle espionage campaign that was exposed in April is expanding its geographic reach and claiming new victims, according to researchers with Cisco's Talos unit.
The researchers say they’ve also linked the hacker group to a pair of attacks early last year that involved a previously undetected technique, illustrating the bad actors’ ability to evolve their methods.
In a report issued July 9, Danny Adamitis, a security researcher at Cisco Talos, writes that the group behind the Sea Turtle attacks has "regrouped after we published our initial findings and coverage and are redoubling their efforts with new infrastructure. While many actors will slow down once they are discovered, this group appears to be unusually brazen, and will be unlikely to be deterred going forward."
The new infrastructure includes new servers to conduct their attacks, according to Cisco Talos.
Sea Turtle appears to be a state-sponsored campaign aimed at gathering intelligence by spying on networks it compromises, according to Cisco Talos. The complex attacks, which started as far back as January 2017, use spoofed websites to steal passwords and credentials to access the networks of victim organizations, allowing the bad actors to spy on the networks.
The most recent indication of compromise occurred this month, according to Cisco Talos researchers.
The attackers try to avoid detection through the use of such techniques as fake security certificates and credentials, the security researchers say.
The list of the latest victims includes targets in the U.S., Greece, Switzerland, Cyprus and Sudan, according to the report. Previous Sea Turtle campaigns were detected in Asian and Middle Eastern countries, including Turkey, Syria, Iraq, Jordan and Lebanon, as well as in North Africa, including Libya and Egypt. Sweden also was an early target.
The expanded campaigns have targeted a range of firms, including government organizations, energy companies, think tanks, international nongovernmental organizations and at least one airport, according to Cisco Talos.
Adamitis also warns that "unless there are significant changes made to better secure DNS, these sorts of attacks are going to remain prevalent."
The Sea Turtle attackers are "fairly unique in that they are extremely brazen and mission-focused, Craig Williams, Cisco's director of Talos outreach, tells Information Security Media Group. This group appears to adapt its TTPs [tactics, techniques and procedures] as needed to accomplish their mission."
Cisco Talos has uncovered a new DNS hijacking technique that researchers are moderately confident is the work of those behind Sea Turtle, who have been seen compromising the nameserver records and responding to DNS request with false “A records.” A records are basic DNS records that are used to direct a domain to an IP address. The new technique, which was used in two attacks in January 2018 but was just recently identified, has a similar methodology as previously known Sea Turtle operations, according to Cisco Talos.
In its previously detected attacks, Sea Turtle attackers used a single nameserver that redirected requests for multiple organizations and entities, the researchers tell ISMG. This was easier for the bad actors to do because they only had to stand up one system to target multiple victims.
The attackers’ goal is to direct victims to a server the hijackers control by modifying the target domain's nameserver records.
In contrast, the two attacks in 2018 using a newly discovered technique involved using a dedicated nameserver IP address for a single victim and only performed the DNS redirection for a short period of time. This made it more difficult for the researchers to detect but also was more costly for the perpetrators in terms of resources needed, the researchers say.
“The attackers seem to have used this technique only sparingly, but the difficulty in detection makes it harder to track down all potential instances of the attackers using this technique,” according to Cisco Talos
Adamitis writes that “in both observed cases [in 2018], one of the hijacked hostnames would reference an email service and the threat actors would presumably harvest user credentials."
With Sea Turtle, "in one case [involving the new technique], a private organization primarily used a third-party service as their authoritative nameserver," Adamitis writes in the blog. "Then, for a three-hour window in January 2018, their name server records were changed to a nameserver hostname that mimicked a slightly different version of the organization's name."
During those three hours, the bad actor-controlled IP address hosted three hostnames, two attacker-controlled nameservers and the webmail hostname, which would enable the attackers to run a man-in-the-middle attack and steal credentials, according to the report. This technique was used against government organizations in the Middle East and North Africa, researchers say.
Focus on Greece
The Cisco Talos researchers also note that the Institute of Computer Science of the Foundation for Research and Technology-Hellas, ICS-Forth, the country code top-level domain, or ccTLD, for Greece, announced April 19 that its network had been attacked by what the researchers determined was the Sea Turtle group. Despite efforts by ICS-Forth to address the problem, the Sea Turtle actors were able to continue accessing the organization’s network for at least another five days, according to the report.
After analyzing the attack in Greece, Cisco Talos researchers were also able to determine that the same operational C2 node was used to access the network of an organization in Syria.
Cisco Talos discovered a new bad actor-controlled nameserver, rootdnservers[.]com, that showed behavior patterns similar to the name servers used before as part of Sea Turtle:
Concerns Over DNS
Organizations need to be vigilant to protect themselves against DNS-focused campaigns such as those waged by Sea Turtle, says Chris Morales, head of security analytics at security firm Vectra AI.
"Data collection and phishing campaigns are much easier when you redirect that user to malicious site and the user doesn't notice," Morales says. "Since DNS largely operates outside of the companies sphere of influence, and different methods of DNS redirection exist, it is much easier for an attacker to target than the companies web servers. The user needs to focus on protecting themselves from redirected websites by paying attention to little details like mismatch SSL certificates."
Cisco Talos suggests implementing multifactor authentication, using a registry lock service on domain names, changing DNSSEC signing domains and making IMAP email servers accessible only from the corporate LAN and to users who have been authenticated over a VPN.