SEA TURTLE hacking attacks: Cyber warfare with Turkey hiding behind cyber-terrorism?
The SeaTurtlehackingcampaign against government websites in Europe and the Middle East , with Greece being one of the key targets, has raised global concern. SecNews conducted an investigation into the hackers identity, the attacks and the risks arising therefrom.
A hacking campaign known as Sea Turtle has begun in 2017, evolving into a dangerous cyber-terrorism that may be the beggining of a cyber war.
At first, hackers attacked government organizations, energy companies, think tanks (thinktanks), international governmental organizations, airports and high profile celebrities of North Africa and the Middle East, and then spread to Europe and America.
The game changes as the attacks continue, pointing to Turkish Government.
The campaign has alarmed many experts as it has features traits of a government-sponsored espionage for the promotion of Turkish interests.
SEA TURTLE CAMPAIGN
Let's first analyze the nature of the SeaTurtlecampaign and its goals . The Sea Turtle campaign is active since January 2018, targeting public and private bodies of States. The campaign is using DNS hijacking attacks.
According to the data so far, attacks have been detected in approximately 40 organizations in 13 countries.
Attackers are highly organized and employ sophisticated methods that give them access to sensitive networks and systems. DNS hijacking attack redirects users to malicious websites, modifying them DNS name records or its settings server.
The campaign seems to targets two categories of victims. The first category belongs to national security organizations, foreign ministries and energy related organizations. The second category of victims are DNS administrators, telecommunications companies, and internet service providers.
It is worth noting that the first target of the attackers is third parties (providers), which provide services to their third party (outsourcing) targets.
DNS HIJACKING ATTACKS
What is DNS Hijacking;
DNS hijacking, DNS poisoning or DNS redirection is the practice of undermining the analysis of Domain Name System (DNS) queries. This can be achieved with malware which replaces the TCP / IP configuration of a computer to show a malicious DNS server controlled by a hacker or modify the behavior of a trusted DNS server so as not to comply with Internet standards. Of course, these modifications are made for malicious purposes.
The Sea Turtle campaign makes these modifications for malicious purposes, as we can imagine. Specifically:
Attackers acquire them credentials of the administrator the organization 's network and modify DNS records.
Otherwise they acquire access via DNS administrator, who sells names domain and manages DNS records. The DNS registry is accessible through the registry application using Extensible Provisioning Protocol (EPP).
Hackers get one of these EPP keys to modify DNS records, which are handled by the administrator.
Hackers try to steal credentials to access networks and systems in the following way:
- initially trying to control the target's DNS records,
- then modify the DNS records to redirect users to servers which is under the control of hackers and not on real servers
- and finally steal credentials when users communicate with the controlled server.
Through these procedures, hackers managed to gain access to the organization's systems and attack.
Use new DNS Hijacking technique
The new technique has been used sparingly and has so far been identified only two entities from 2018.
In this case domain's name server records were modified to refer legitimate users to the malicious server. The controlled name server and hijacked hostnames will lead to the same address IP for a short time, usually less than 24 hours. In both cases, one of the hijacked hostnames referred to an email service through which hackers seized their login credentials. victims. One aspect of this technique that makes it extremely difficult to monitor is that the controlled name servers were not used for multiple purposes - meaning each hijacked entity had its own name server hostname and its own unique IP address. While the previously mentioned name server domains like ns1 [.] Intersecdns [.] com were used to target multiple organizations.
Young nameserver controlled by hackers
rootdnservers[.] com: It presents similar patterns of behavior to nameservers that were previously used as part of the Sea Turtle campaign. The domain rootdnservers [.] com Posted on April 5, 2019 by NameCheap registrar. To the new one domain rootdnservers [.] com was used for DNS hijacking against three government agencies that all used .gr, the Greek ccTLD. It is very likely that the hijackings were made through access to the ICS-Forth network.
Below is a table with the three most recent malicious name servers that have been associated with this activity ( Talos intelligence):
|Hostnames||IP addresses||Operational Status|
|ns1 [.] rootdnservers [.] com.||45 [.] 32 [.] 100 [.] 62||active|
|ns2 [.] rootdnservers [.] com.||45 [.] 32 [.] 100 [.] 62||active|
|ns1 [.] intersecdns [.] com||95 [.] 179 [.] 150 [.] 101||Inactive|
|ns2 [.] intersecdns [.] com||95 [.] 179 [.] 150 [.] 101||Inactive|
New IPs associated with man-in-the-middle activity:
By identifying the targeted domains, the hijacked hostnames and corresponding MitM nodes were identified. Hackers executed "certificate impersonation" tactic ie targeted hostname supplied a SSL certificate from a different SSL provider. Below is a table with the dates and associated IP addresses.
|April 13, 2019||95 [.] 179 [.] 131 [.] 225|
|April 16, 2019||95 [.] 179 [.] 131 [.] 225|
|April 11, 2019||95 [.] 179 [.] 131 [.] 225|
|April 11, 2019||140 [.] 82 [.] 58 [.] 253|
|April 10, 2019||95 [.] 179 [.] 156 [.] 61|
|IP address||Characterization||Date Range|
|185 [.] 64 [.] 105 [.] 100||Operational Node||March - April 2019|
|178 [.] 17 [.] 167 [.] 51||Operational Node||June 2019|
|95 [.] 179 [.] 131 [.] 225||Mitm Node||April 2019|
|140 [.] 82 [.] 58 [.] 253||Mitm Node||April 2019|
|95 [.] 179 [.] 156 [.] 61||Mitm Node||April 2019|
|196 [.] 29 [.] 187 [.] 100||Mitm Node||December 2018|
|188 [.] 226 [.] 192 [.] 35||Mitm Node||January 2018|
|ns1 [.] rootdnservers [.] com||Actor-controlled nameserver||April 2019|
|ns2 [.] rootdnservers [.] com||Actor-controlled nameserver||April 2019|
|45 [.] 32 [.] 100 [.] 62||Hosted malicious nameserver||April 2019|
|ns1 [.] intersecdns [.] com||Actor-controlled nameserver||February - April 2019|
|ns2 [.] intersecdns [.] com||Actor-controlled nameserver||February - April 2019|
|95 [.] 179 [.] 150 [.] 101||Hosted malicious nameserver||February - July 2019|
IRAN AND SEA TURTLE ATTACKS
The first speculation is that Iran wants to be behind the hacking espionage campaign.
Researchers point out the hacking APT34 team behind the cyber espionage campaign. It is worth noting that there are many similarities between his credentialing process Sea Turtle project and the Iranian hackers' WebMask project.
Comparing the TTPs of the two campaigns, there are many similarities. In addition, the goals of APT34 are the same as those of the team behind it Sea Turtle campaign. There is not enough evidence to confirm the case, but it seems quite possible even if it has not been confirmed.
One of the key similarities of the two campaigns is DNS Hijacking. In addition, state-funded Iranian hackers are known to use DNS Hijacking to redirect victims to attack sites. Analyzing hackers' TTPs, the WebMask project was born after April 2016. It has been used to attack at least targets in the United Arab Emirates. In addition, APT used the NovinVPS provider, but it was needed credentials to change it to Authoritative DNS. Therefore, the purpose of the campaign is to collect data, which is also the case for Sea Turtle.
TURKEY AND SEA TURTLE ATTACKS
More recent speculations want the Turkish government behind the online campaign espionage.
According to two British officials and a US official, the activity carries the characteristics of a government espionage committed to further Turkish interests.
The four key features are:
- Η identity and location of victims, which are included governments of countries of geopolitical importance to Turkey
- Similarities to previous attacks allegedly used infrastructures regulated by Turkey
- Confidential information which cannot be made public
- Link attacks because they use themselves servers or shared infrastructure.
Turkey's interior ministry declined to comment. A senior Turkish official did not immediately respond to questions about the campaign, but said Turkey itself was often the victim of cyberattacks.
THE TIME OF THE ATTACK: GREECE - OUR MAIN OBJECTIVE SEA TURTLE CAMPAIGN
- APRIL 2019
On July 10, 2019 ICS-Forth (Institute of computer Science of the Foundation forum Research and Technology), the organization that manages the top .gr and .el domain codes. of Greece, has publicly admitted that it has been hacking by 19 until 24 April 2019.
The hackers behind the breach are the same group that was mentioned in a Cisco Talos report in April called the Sea Turtle.
The team is using a relatively new approach to its hacking attacks. Instead of targeting victims directly, they violate or gain access to domain registrars accounts and managed DNS providers where they make modifications to a company's DNS settings.
By modifying DNS records for internal servers, redirect it traffic intended for legitimate applications a company or webmail services to clone servers where they run man-in-the-middle attacks and block login credentials.
The attacks are short-lived, last from hours to days and it is extremely difficult to detect due to the fact that most companies do not keep track of changes in DNS settings.
The Sea Turtle team usually breaches accounts on domain registrars and manages DNS providers - accounts that belong to their goals, who use them to manage various DNS registrations servers and services.
However, now, Sea Turtle succeeds in hacking an entire Top Level Domain Service Provider to achieve its goal - that is, modify the DNS server settings of the target server for a whole country, for all of Greece.
A report says the Sea Turtle team had previously attacked NetNod, an internet exchange node based Sweden, which offered inter alia DNS services for ccTLD organizations such as ICS-Forth.
Hackers have maintained their illegal access to ICS-Forth network from a command and control (C2) node. After analyzing this C2 node, it was also found to be used for access to an organization in Syria, which had previously been redirected using the hackers-controlled server name ns1 [.] intersecdns [.] com. Therefore, it turns out that behind both hacking Hacking (Greece and Syria) hides itself club.
According to uncontroversial information, the hackers involved gained access to the ICS-Forth admin terminal (possibly via a Phishing attack) where they then installed a well-known remote access program (Teamviewer). Using the terminal via Teamviewer and having been following the administrator for a long time, they gained root access to the Top Level DNS Administrator central servers for the .gr / .el prefix. Through this access they had now acquired all the Greek domains, the EPP codes, and were able to alter / redirect This makes it a perfect choice for people with diabetes and for those who want to lose weight or follow a balanced diet. they know whatever domain they want. The target as it is now known was the National Intelligence Service (www.nis.gr), the Ministry of Foreign Affairs (www.mfa.gr), the Hellenic Parliament, the Prime Minister's e-mail server and other critical infrastructures of the country. For 24 hours all of their emails were redirected to hacker server (s) resulting in e-mails, officials' passwords and critical information! Analyzing access through the Teamviewer software and its logs did not accurately identify the attackers' electronic traces.
But there is another dimension to the issue that has not been made public, and SecNews is releasing today. The Turkish hackers who organized the attack seized all the e-mail managers of all the Greek domains (* .gr). Anyone purchasing a Greek domain indicates contact details (name, surname, phone) to the providers who register. Part of this information is also available at ICS-FORTH.
These items were probably exchanged or sold in the known darknet markets in exchange for financial gain. As a result, the months of July-September 2019 were observed extremely powerful and spam campaigns against email πwhich have been registered in various .gr domains. and who never received the slightest spam e-mail. It was mainly about the email informing many of our fellow citizens that they had been hacking and had (falsely) taken pictures or pictures and asked them to pay ransom. Here is an example:
- JANUARY 2020
On January 17, the Turkish team hackers called "Anka Neferler" claimed responsibility for the DDoS attacks that surfaced late Thursday afternoon on Greek government websites, she said in a post on Twitter.
According to first information, accessibility problems are present The the websites of the Parliament, the Ministry of Foreign Affairs and the National Intelligence Service. It seems that there were problems with the Athens Stock Exchange and the Ministry of Finance websites as well.
Government sources have confirmed the fact, saying that the problem sites are now working properly. Measures were also taken to ensure their smooth operation website and their future shielding from impending attacks. According to sources, no data spying occurred.
Turkish media reported to the mass media that Turkish hackers invaded Greek government websites as an achievement.
Coincidentally or not, the same websites that fell victim to DDoS attack had fallen victim to the Sea Turtle surveillance campaign a few months ago (in April 2019)?
SEA TURTLE ATTACKS: VICTIMS
Recent victims of the Sea Turtle campaign also included, the Albanian State Intelligence Service, according to public records online. The Albanian State Intelligence Service had hundreds of usernames and passwords stolen by hackers.
The neighboring country's Albanian Intelligence Service said that the attacks were on non-classified infrastructure, which does not store or process any information classified as a "state secret" of any level.
Η Cyprus was also targeted by hackers. The Cypriot government has recently stated that "The authorities were immediately aware of the attacks and were able to protect themselves. We will not comment on the details for national security reasons, " he added.
The attacks on Cyprus, Greece, Albania and Syria occurred in late 2018 or early 2019, according to public sources on the internet. Wider rounds of attacks are ongoing, according to service officials in the countries involved, as well as studies by independent researchers. cyber space.
In Turkey, on the other hand, their victims have fallen hacking attacks on various non-governmental organizations, who, according to Turkish media, associated with Fethullah Gulen based in the US and is accused of organizing it failed coup attempt in 2016.
Ο Fethullah Gulen has publicly denied the coup attempt.
The Sea Turtle campaign attacks are not going to end soon. ΣAccording to published reports and cross-referencing by independent researchers, the origin of the hackers is the neighboring country, Turkey. It is, in fact, state-sponsored hacking attacks funded by government agencies. The hackers behind it seem to have a well thought out attack plan with slow and successful steps. The goals; Countries of high importance for Turkish hackers wishing to invite them into a global cyber war. How prepared are the states to fall into battle? Do they have a trained cyberattack?
From the information we make public today, the Greek authorities must act immediately. There are specific traces that can lead to the origin and identity of the perpetrators. Specifically :
- The registered domains they used to create the hacker attack infrastructure are .com. These domains are registered and paid for by credit cards with the namecheap provider. Authorities should immediately contact the provider and track down the individuals behind these payments.
- In addition to the IP addresses used there are external providers (eg Vultr, Bacloud, etc.) who again accept credit card payments. Hackers used these providers as VPS to perform the redirects they wanted
- By using specialized tools (securitytrails) it is possible to determine which IP addresses have been used.
- It is noteworthy that SUDAN military hub was also used as an intermediate hub - 18.104.22.168
Everything shows that our questions will be answered very soon.
Stay tuned to SecNews for developments on the subject and tops tech news timeliness