The discovery of a new, sophisticated team of hackers spying on dozens of government targets is never good news. But one team of cyberspies has pulled off that scale of espionage with a rare and troubling trick, exploiting a weak link in the internet's cybersecurity that experts have warned about for years: DNS hijacking, a technique that meddles with the fundamental address book of the internet.

Researchers at Cisco's Talos security division on Wednesday revealed that a hacker group it's calling Sea Turtle carried out a broad campaign of espionage via DNS hijacking, hitting 40 different organizations. In the process, they went so far as to compromise multiple country-code top-level domains—the suffixes like .co.uk or .ru that end a foreign web address—putting all the traffic of every domain in multiple countries at risk.

The hackers' victims include telecoms, internet service providers, and domain registrars responsible for implementing the domain name system. But the majority of the victims and the ultimate targets, Cisco believes, were a collection of mostly governmental organizations, including ministries of foreign affairs, intelligence agencies, military targets, and energy-related groups, all based in the Middle East and North Africa. By corrupting the internet's directory system, hackers were able to silently use "man in the middle" attacks to intercept all internet data from email to web traffic sent to those victim organizations.

Top Level Dilemma

DNS hijacking targets the Domain Name System, the pillar of internet architecture that translates the domain name you type into your browser, such as "google.com," into the IP address that represents the actual computer where that service is hosted, such as "64.233.191.255." Corrupt that system, and hackers can redirect that domain to any IP address they choose. Cisco Talos researcher Craig Williams says the Sea Turtle campaign is disturbing not only because it represents a series of brazen cyberspying operations but also because it calls into question that basic trust model of the internet.

"When you're on your computer and visit your bank, you assume DNS servers will tell you the truth," Williams says. "Unfortunately what we're seeing is that, from a regional perspective, someone has broken that trust. You go to a website and it turns out you don’t have any guarantee of who you’re talking to."

"If you’re in those countries, how do you trust that your DNS system is working again?" Craig Williams, Cisco Talos

Hackers have used DNS hijacking plenty of times in years past, for everything from crude website defacements to another apparent espionage campaign, labelled DNSpionage, uncovered by Cisco Talos in late 2018 and linked to Iran early this year. Cisco's Williams says that other security firms have misattributed some of Sea Turtle's operations, confusing them with those of the DNSpionage campaign. But the Sea Turtle campaign represents a distinct and more serious series of security breaches, he argues.

"Anyone in control of a top level domain can add, remove, and delete records, or redirect domains and do a subversive man-in-the-middle attack," says David Ulevitch, founder of the DNS-focused firm OpenDNS and now a partner at venture capital firm Andreessen Horowitz. "That can have tremendous security implications for anyone with a domain under that TLD."

Cisco Talos said it couldn't determine the nationality of the Sea Turtle hackers, and declined to name the specific targets of their spying operations. But it did provide a list of the countries where victims were located: Albania, Armenia, Cyprus, Egypt, Iraq, Jordan, Lebanon, Libya, Syria, Turkey, and the United Arab Emirates. Cisco's Craig Williams confirmed that Armenia's .am top-level domain was one of the "handful" that were compromised, but wouldn't say which of the other countries' top-level domains were similarly hijacked.

Cisco did name two of the DNS-related firms who were targeted by the Sea Turtle hackers: The Swedish infrastructure organization NetNod and Berkeley-based Packet Clearing House, both of whom have acknowledged in February that they had been hacked. Cisco said the attackers had burrowed into those initial target networks with traditional means, such as spearphishing emails, and a toolkit of hacking tools designed to exploit known but unpatched vulnerabilities.

Middle Men

Those initial targets were only a stepping stone. Once the Sea Turtle hackers gained full access to a domain registrar, their spying operations followed a predictable pattern, according to Cisco's researchers. The hackers would change the target organization's domain registration to point to their own DNS servers—the computers that perform the DNS translation of domains into IP addresses—instead of the victim's legitimate ones. When users then attempted to reach the victim's network, whether through web, email, or other internet communications, those malicious DNS servers would redirect the traffic to a different man-in-the-middle server that intercepted and spied on all the communications before passing them on to their intended destination.