Sea Turtle Group Uses New DNS Hijacking Technique

Delaware, USA – July 10, 2019 – Sea Turtle APT group, allegedly attributed to the Iranian government, compromised the ICS-Forth network that manages the Greek top-level domains .gr and .el. About the Sea Turtle group became known in this April, but their campaigns were tracked back till 2017. The adversaries use a very unusual technique of hacking: instead of a direct attack on the target, they gain access to network of domain registrar or managed DNS providers and change the DNS settings of the primary target to redirect traffic of legitimate applications and email servers of the company to attackers infrastructure to perform a man-in-the-middle attacks and intercept credentials. In recently discovered attacks, adversaries used a separate server for each new target, and this makes it extremely difficult to track such attacks. Usually, they last from several hours to several days and remain unnoticed by the security systems of the target organizations.

Typically, the APT groups for some time turned off the operation after their activity became known to the public, but Sea Turtle increased the rate of attacks after the report. ICS-Forth published a statement about the compromise of their network on April 19, and the attackers continued the operation for another 5 days. Cisco Talos discovered new servers of the group and tracked their targets located in the United States, Switzerland, Greece, and Sudan. The main targets of Sea Turtle attacks were government organizations, energy companies, and at least one airport. To secure against such types of attack, organizations should pay more attention to DNS security and monitor passive DNS record on their domains. It is also possible to use DNS Security Check rule pack for your SIEM to analyze client-server DNS traffic and discover suspicious patterns: