Recently, a new hacking campaign, called "Sea Turtle", was launched, targeting public and private players. The characteristic of this particular campaign is that hackers DNS hijacking attacks.
The data, so far, show attacks on some 40 organizations in 13 countries.
Attackers are well organized and use sophisticated methods that give them access to sensitive networks and systems.
DNS hijacking attack redirects malicious users website, modifying DNS name records or server settings.
The campaign seems to target two categories of victims. The first category includes national security organizations, foreign ministries, and energy related organizations. The second victim category includes DNS administrators, telecommunications companies, and internet service providers.
The first target of the attackers is the third Companies, which offer services to key goals.
The research has shown that this is one of the most serious and sophisticated campaigns of this kind.
DNS Hijacking Attack
Attackers acquire the credentials of the network administrator of the organization and modify the DNS records.
Otherwise, they gain access via a DNS administrator, who sells domain names and manages DNS records. The DNS registry is accessible through the registry application using the Extensible Provisioning Protocol (EPP).
Hackers get one of these EPP keys to modify DNS records, which are handled by the administrator.
Hackers try to steal credentials to get into networks and systems in the following way: initially trying to check the target DNS records, then modifying DNS records to redirect users to servers under the control of hackers and finally steal credentials when users interact with the supervised server.
Through these procedures, hackers managed to gain access to the organization's systems and attack.