Nation-State Attackers Exploiting DNS at Scale, Cisco Reports

A nation-state backed group of attackers that Cisco Talos is identifying as Sea Turtle, have been actively exploiting domain name information, by going after domain registries for entire countries.

Cisco Talos Sea Turtle

Cisco Talos is warning of a new attacker group it has dubbed "Sea Turtle" that is exploiting DNS information at scale across large government agencies.

According to the report which was released on April 17, the Sea Turtle attack has already compromised at least 40 different organizations, spread across 13 different countries. While DNS attacks are not a new phenomena, the way in which Sea Turtle operates is somewhat different than other DNS attacks in recent months.

DNS is an acronym for Domain Name System, and is the technology that matches IP addresses to common domain names (i.e In prior DNS attacks, hackers simply redirected DNS entries to their own malicious domains. In the Sea Turtle attacks, the hackers created their own name servers and intercepted traffic, in order to steal credential and other information. The attackers also directly went after entire domain registries, rather than just individual domain names, enabling widespread exploitation of all the entries in a given registry.

The Sea Turtle attackers were able to exploit entire country code Top Level Domain (ccTLD) registries, according to Cisco Talos.

"Cisco Talos cannot identify which ccTLDs were exploited since it may result in them being targeted by additional actors," Craig Williams, Director Talos Research at Cisco, told eWEEK.

According to the report, the attacks likely started as far back as January 2017 and are still ongoing. Cisco emphasized that the Sea Turtle attacks are different in nature and from a group that is un-related to DNS attacks that were reported earlier this year. The U.S. Government warned about the risks of DNS hijacking in January 2019, directing agencies to take multiple steps to secure their DNS information.

How The Sea Turtle Attacks Work

The method by which the Sea Turtle attackers got into the various ccTLDs and exploited their DNS infrastructure did not apparently involve any new or unique malware or zero day vulnerabilities.

"We saw the initial access take place via spear phishing or the exploitation of known vulnerabilities," Williams said. "Unfortunately no network is impenetrable and often users are the weakest targets."

The Sea Turtle attacker hijacked the various DNS records for different amounts of time ranging from only a few minutes to a couple of days. While some attacks are financially focused, that's not the goal of Sea Turtle

"Right now the actor seems to be purely focused on espionage," Williams said.

Defending Against Sea Turtle

Cisco Talos has a few recommendations to help organizations minimize the risk of being a victim of a DNS hijacking attack.

  • Use a Registry Lock Service - With registry lock, changes can only be made after an additional message and request for authorization is made.
  • Secure Access with MFA - Domain access should be secured with more than just a username and a password. Multi-factor authentication (MFA) requires the use of a secondary password or token to gain access.

Williams commented that the use of DNSSEC, may help with this issue but the attackers have shown their ability to work around defensive strategies so it’s impossible to say for certain. DNSSEC (DNS security extensions) provide an additional degree of cryptographic assurance to domain name information.

"Patching, Defense in depth, and user education are key," Williams said.

Sean Michael Kerner is a senior editor at eWEEK and Follow him on Twitter @TechJournalist.

Sean Michael Kerner

Sean Michael Kerner

Sean Michael Kerner is an Internet consultant, strategist, and contributor to several leading IT business web sites.