Saturday, July 4, 12:57
Home investigations RESEARCH: Sea Turtle hacking attacks. Cyber ​​warfare in progress?

RESEARCH: Sea Turtle hacking attacks. Cyber ​​warfare in progress?

SEA TURTLE hacking attacks: Cyber ​​warfare with Turkey hiding behind cyber-terrorism?

EXECUTIVE SUMMARY

The SeaTurtlehackingcampaign against government websites in Europe and the Middle East , with Greece being one of the key targets, has raised global concern. SecNews conducted an investigation into the hackers identity, the attacks and the risks arising therefrom.

A hacking campaign known as Sea Turtle has begun in 2017, evolving into a dangerous cyber-terrorism that may be the beggining of a cyber war.

At first, hackers attacked government organizations, energy companies, think tanks (thinktanks), international governmental organizations, airports and high profile celebrities of North Africa and the Middle East, and then spread to Europe and America.

Early speculations suggest that Iranian hackersare behind the hacking campaign , since they are famous for such attacks, with the latest targeting European energy companies.

The game changes as the attacks continue, pointing to Turkish Government.

The campaign has alarmed many experts as it has features traits of a government-sponsored espionage for the promotion of Turkish interests.

SEA TURTLE CAMPAIGN

Let's first analyze the nature of the SeaTurtlecampaign and its goals . The Sea Turtle campaign is active since January 2018, targeting public and private bodies of States. The campaign is using DNS hijacking attacks.

According to the data so far, attacks have been detected in approximately 40 organizations in 13 countries.

sea ​​turtle turkey turkey hacker cyber war turkey sea turtle hacking attacks

Attackers are highly organized and employ sophisticated methods that give them access to sensitive networks and systems. DNS hijacking attack redirects users to malicious websites, modifying them DNS name records or its settings server.

The campaign seems to targets two categories of victims. The first category belongs to national security organizations, foreign ministries and energy related organizations. The second category of victims are DNS administrators, telecommunications companies, and internet service providers.

It is worth noting that the first target of the attackers is third parties (providers), which provide services to their third party (outsourcing) targets.

DNS HIJACKING ATTACKS

What is DNS Hijacking;

DNS hijacking, DNS poisoning or DNS redirection is the practice of undermining the analysis of Domain Name System (DNS) queries. This can be achieved with malware which replaces the TCP / IP configuration of a computer to show a malicious DNS server controlled by a hacker or modify the behavior of a trusted DNS server so as not to comply with Internet standards. Of course, these modifications are made for malicious purposes.

The Sea Turtle campaign makes these modifications for malicious purposes, as we can imagine. Specifically:

Attackers acquire them credentials of the administrator the organization 's network and modify DNS records.

Otherwise they acquire access via DNS administrator, who sells names domain and manages DNS records. The DNS registry is accessible through the registry application using Extensible Provisioning Protocol (EPP).

Hackers get one of these EPP keys to modify DNS records, which are handled by the administrator.

Hackers try to steal credentials to access networks and systems in the following way:

  1. initially trying to control the target's DNS records,
  2. then modify the DNS records to redirect users to servers which is under the control of hackers and not on real servers
  3. and finally steal credentials when users communicate with the controlled server.

Through these procedures, hackers managed to gain access to the organization's systems and attack.

Use new DNS Hijacking technique

The new technique has been used sparingly and has so far been identified only two entities from 2018.

In this case domain's name server records were modified to refer legitimate users to the malicious server. The controlled name server and hijacked hostnames will lead to the same address IP for a short time, usually less than 24 hours. In both cases, one of the hijacked hostnames referred to an email service through which hackers seized their login credentials. victims. One aspect of this technique that makes it extremely difficult to monitor is that the controlled name servers were not used for multiple purposes - meaning each hijacked entity had its own name server hostname and its own unique IP address. While the previously mentioned name server domains like ns1 [.] Intersecdns [.] com were used to target multiple organizations.

Young nameserver controlled by hackers

rootdnservers[.] com: It presents similar patterns of behavior to nameservers that were previously used as part of the Sea Turtle campaign. The domain rootdnservers [.] com Posted on April 5, 2019 by NameCheap registrar. To the new one domain rootdnservers [.] com was used for DNS hijacking against three government agencies that all used .gr, the Greek ccTLD. It is very likely that the hijackings were made through access to the ICS-Forth network.

Below is a table with the three most recent malicious name servers that have been associated with this activity ( Talos intelligence):

HostnamesIP addressesOperational Status
ns1 [.] rootdnservers [.] com.45 [.] 32 [.] 100 [.] 62active
ns2 [.] rootdnservers [.] com.45 [.] 32 [.] 100 [.] 62active
ns1 [.] intersecdns [.] com95 [.] 179 [.] 150 [.] 101Inactive
ns2 [.] intersecdns [.] com95 [.] 179 [.] 150 [.] 101Inactive

New IPs associated with man-in-the-middle activity:

By identifying the targeted domains, the hijacked hostnames and corresponding MitM nodes were identified. Hackers executed "certificate impersonation" tactic ie targeted hostname supplied a SSL certificate from a different SSL provider. Below is a table with the dates and associated IP addresses.

DateIP address
April 13, 201995 [.] 179 [.] 131 [.] 225
April 16, 201995 [.] 179 [.] 131 [.] 225
April 11, 201995 [.] 179 [.] 131 [.] 225
April 11, 2019140 [.] 82 [.] 58 [.] 253
April 10, 201995 [.] 179 [.] 156 [.] 61

Violation indicators

IP addressCharacterizationDate Range
185 [.] 64 [.] 105 [.] 100Operational NodeMarch - April 2019
178 [.] 17 [.] 167 [.] 51Operational NodeJune 2019
95 [.] 179 [.] 131 [.] 225Mitm NodeApril 2019
140 [.] 82 [.] 58 [.] 253Mitm NodeApril 2019
95 [.] 179 [.] 156 [.] 61Mitm NodeApril 2019
196 [.] 29 [.] 187 [.] 100Mitm NodeDecember 2018
188 [.] 226 [.] 192 [.] 35Mitm NodeJanuary 2018
ns1 [.] rootdnservers [.] comActor-controlled nameserverApril 2019
ns2 [.] rootdnservers [.] comActor-controlled nameserverApril 2019
45 [.] 32 [.] 100 [.] 62Hosted malicious nameserverApril 2019
ns1 [.] intersecdns [.] comActor-controlled nameserverFebruary - April 2019
ns2 [.] intersecdns [.] comActor-controlled nameserverFebruary - April 2019
95 [.] 179 [.] 150 [.] 101Hosted malicious nameserverFebruary - July 2019

IRAN AND SEA TURTLE ATTACKS

The first speculation is that Iran wants to be behind the hacking espionage campaign.

Researchers point out the hacking APT34 team behind the cyber espionage campaign. It is worth noting that there are many similarities between his credentialing process Sea Turtle project and the Iranian hackers' WebMask project.

Comparing the TTPs of the two campaigns, there are many similarities. In addition, the goals of APT34 are the same as those of the team behind it Sea Turtle campaign. There is not enough evidence to confirm the case, but it seems quite possible even if it has not been confirmed.

One of the key similarities of the two campaigns is DNS Hijacking. In addition, state-funded Iranian hackers are known to use DNS Hijacking to redirect victims to attack sites. Analyzing hackers' TTPs, the WebMask project was born after April 2016. It has been used to attack at least targets in the United Arab Emirates. In addition, APT used the NovinVPS provider, but it was needed credentials to change it to Authoritative DNS. Therefore, the purpose of the campaign is to collect data, which is also the case for Sea Turtle.

TURKEY AND SEA TURTLE ATTACKS

More recent speculations want the Turkish government behind the online campaign espionage.

According to two British officials and a US official, the activity carries the characteristics of a government espionage committed to further Turkish interests.

The four key features are:

Turkey's interior ministry declined to comment. A senior Turkish official did not immediately respond to questions about the campaign, but said Turkey itself was often the victim of cyberattacks.

THE TIME OF THE ATTACK: GREECE - OUR MAIN OBJECTIVE SEA TURTLE CAMPAIGN

sea ​​turtle turkey turkey hacker cyber war turkey sea turtle hacking attacks

  • APRIL 2019

On July 10, 2019 ICS-Forth (Institute of computer Science of the Foundation for Research and Technology), the organization that manages the top .gr and .el domain codes. of Greece, has publicly admitted that it has been hacking by 19 until 24 April 2019.

The hackers behind the breach are the same group that was mentioned in a Cisco Talos report in April called the Sea Turtle.

The team is using a relatively new approach to its hacking attacks. Instead of targeting victims directly, they violate or gain access to domain registrars accounts and managed DNS providers where they make modifications to a company's DNS settings.

By modifying DNS records for internal servers, redirect it traffic intended for legitimate applications a company or webmail services to clone servers where they run man-in-the-middle attacks and block login credentials.

The attacks are short-lived, last from hours to days and it is extremely difficult to detect due to the fact that most companies do not keep track of changes in DNS settings.

The Sea Turtle team usually breaches accounts on domain registrars and manages DNS providers - accounts that belong to their goals, who use them to manage various DNS registrations servers and services.

However, now, Sea Turtle succeeds in hacking an entire Top Level Domain Service Provider to achieve its goal - that is, modify the DNS server settings of the target server for a whole country, for all of Greece.

sea ​​turtle turkey turkey hacker cyber war turkey sea turtle hacking attacks

A report says the Sea Turtle team had previously attacked NetNod, an internet exchange node based Sweden, which offered inter alia DNS services for ccTLD organizations such as ICS-Forth.

Hackers have maintained their illegal access to ICS-Forth network from a command and control (C2) node. After analyzing this C2 node, it was also found to be used for access to an organization in Syria, which had previously been redirected using the hackers-controlled server name ns1 [.] intersecdns [.] com. Therefore, it turns out that behind both hacking Hacking (Greece and Syria) hides itself club.

According to uncontroversial information, the hackers involved gained access to the ICS-Forth admin terminal (possibly via a Phishing attack) where they then installed a well-known remote access program (Teamviewer). Using the terminal via Teamviewer and having been following the administrator for a long time, they gained root access to the Top Level DNS Administrator central servers for the .gr / .el prefix. Through this access they had now acquired all the Greek domains, the EPP codes, and were able to alter / redirect This makes it a perfect choice for people with diabetes and for those who want to lose weight or follow a balanced diet. they know whatever domain they want. The target as it is now known was the National Intelligence Service (www.nis.gr), the Ministry of Foreign Affairs (www.mfa.gr), the Hellenic Parliament, the Prime Minister's e-mail server and other critical infrastructures of the country. For 24 hours all of their emails were redirected to hacker server (s) resulting in e-mails, officials' passwords and critical information! Analyzing access through the Teamviewer software and its logs did not accurately identify the attackers' electronic traces.

But there is another dimension to the issue that has not been made public, and SecNews is releasing today. The Turkish hackers who organized the attack seized all the e-mail managers of all the Greek domains (* .gr). Anyone purchasing a Greek domain indicates contact details (name, surname, phone) to the providers who register. Part of this information is also available at ICS-FORTH.

These items were probably exchanged or sold in the known darknet markets in exchange for financial gain. As a result, the months of July-September 2019 were observed extremely powerful and spam campaigns against email πwhich have been registered in various .gr domains. and who never received the slightest spam e-mail. It was mainly about the email informing many of our fellow citizens that they had been hacking and had (falsely) taken pictures or pictures and asked them to pay ransom. Here is an example:

  • JANUARY 2020

On January 17, the Turkish team hackers called "Anka Neferler" claimed responsibility for the DDoS attacks that surfaced late Thursday afternoon on Greek government websites, she said in a post on Twitter.

According to first information, accessibility problems are present The the websites of the Parliament, the Ministry of Foreign Affairs and the National Intelligence Service. It seems that there were problems with the Athens Stock Exchange and the Ministry of Finance websites as well.

Government sources have confirmed the fact, saying that the problem sites are now working properly. Measures were also taken to ensure their smooth operation website and their future shielding from impending attacks. According to sources, no data spying occurred.

sea ​​turtle turkey turkey hacker cyber war turkey sea turtle hacking attacks

Turkish media reported to the mass media that Turkish hackers invaded Greek government websites as an achievement.

Coincidentally or not, the same websites that fell victim to DDoS attack had fallen victim to the Sea Turtle surveillance campaign a few months ago (in April 2019)?

 

SEA TURTLE ATTACKS: VICTIMS

Recent victims of the Sea Turtle campaign also included, the Albanian State Intelligence Service, according to public records online. The Albanian State Intelligence Service had hundreds of usernames and passwords stolen by hackers.

The neighboring country's Albanian Intelligence Service said that the attacks were on non-classified infrastructure, which does not store or process any information classified as a "state secret" of any level.

sea ​​turtle turkey turkey hacker cyber war turkey sea turtle hacking attacks

Η Cyprus was also targeted by hackers. The Cypriot government has recently stated that "The authorities were immediately aware of the attacks and were able to protect themselves. We will not comment on the details for national security reasons, " he added.

The attacks on Cyprus, Greece, Albania and Syria occurred in late 2018 or early 2019, according to public sources on the internet. Wider rounds of attacks are ongoing, according to service officials in the countries involved, as well as studies by independent researchers. cyber space.

In Turkey, on the other hand, their victims have fallen hacking attacks on various non-governmental organizations, who, according to Turkish media, associated with Fethullah Gulen based in the US and is accused of organizing it failed coup attempt in 2016.

Ο Fethullah Gulen has publicly denied the coup attempt.

CONCLUSION

The Sea Turtle campaign attacks are not going to end soon. ΣAccording to published reports and cross-referencing by independent researchers, the origin of the hackers is the neighboring country, Turkey. It is, in fact, state-sponsored hacking attacks funded by government agencies. The hackers behind it seem to have a well thought out attack plan with slow and successful steps. The goals; Countries of high importance for Turkish hackers wishing to invite them into a global cyber war. How prepared are the states to fall into battle? Do they have a trained cyberattack?

From the information we make public today, the Greek authorities must act immediately. There are specific traces that can lead to the origin and identity of the perpetrators. Specifically :

  • The registered domains they used to create the hacker attack infrastructure are .com. These domains are registered and paid for by credit cards with the namecheap provider. Authorities should immediately contact the provider and track down the individuals behind these payments.
  • In addition to the IP addresses used there are external providers (eg Vultr, Bacloud, etc.) who again accept credit card payments. Hackers used these providers as VPS to perform the redirects they wanted
  • By using specialized tools (securitytrails) it is possible to determine which IP addresses have been used.
  • It is noteworthy that SUDAN military hub was also used as an intermediate hub - 196.29.187.100

Everything shows that our questions will be answered very soon.

Stay tuned to SecNews for developments on the subject and tops tech news timeliness

LEAVE ANSWER

Please enter your comment!
Please enter your name here

SecNews
SecNewshttps://www.secnews.gr
In a world without fences and walls, who needs Gates and Windows

LIVE NEWS

iOS 13.5.1: iPhone users report battery issues

Have you noticed any changes to your iPhone lately? Maybe, for example, the battery runs out quickly ...

Avaddon ransomware: Attacks through Excel 4.0 macros

Microsoft announced yesterday that Avaddon ransomware spread this week through an old technique that came to the fore again. The...

Apple: Prohibits updating Chinese Apps without permission

Apple is banning developers from updating existing apps in China's App Store if they don't have government approval.

Australia: Thousands of MyGov accounts are sold on the Dark Web

Access to more than 3600 MyGov accounts is being sold on the dark web, potentially exposing thousands of Australians to fraud and identity theft.
00:03:03

Party Time: Watch TV with your friends online

Party Time: Watch TV with your friends on the internet Time for a different party than you are used to, watching your favorite ...

CISA and FBI warn businesses of Tor's risks

The Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) have issued a warning to businesses regarding ...

openSUSE: The new Leap 15.2 hard drive has been released

Recently, the next stable version of the openSUSE operating system was released. According to the development team of the operating system, ...

What are the most popular types of malware?

Researchers are looking for the most common types of malware. During the investigation of the malicious activities, the researchers in cyberspace focus ...

REvil ransomware: Target the Light SA electricity company

The operators of REvil ransomware (also known as Sodinokibi) violated the Brazilian electricity company Light SA ...

LinkedIn: Our bug is due to an iOS problem

A representative of LinkedIn told ZDNet yesterday that an error in the iOS application was responsible for a seemingly "interfering behavior" that ...