The security incident report, conducted in response to claims by an Iranian hacker calling himself Comodohacker that he had breached GlobalSign’s CA systems, confirmed a preliminary review issued by the company three days after the reported hack.
Comodohacker had previously succeeded in hacking into registration authorities (RAs) of US CA Comodo and Dutch CA DigiNotar and issuing fraudulent authentication certificates for hundreds of websites.
In a detailed report issued this month, GlobalSign said it found evidence that a peripheral web server not part of the CA infrastructure was breached. This breach exposed publicly available HTML pages, PDFs, and the secure socket layer (SSL) certificate and key issued to www.globalsign.com. The company revoked the SSL certificate and key after determining it had been compromised.
At the same time, GlobalSign stressed that, unlike in the DigiNotar case, the hacker did not compromise the company’s root certificate keys and associated hardware security modules (HSMs), its CA infrastructure, its issuing authorities and associated HSMs, or its RA services.
In response to the initial claim by Comodohacker, GlobalSign halted new certificate issuance from Sept. 6 to 15. The company contracted with Fox-IT to provide third-party analysis of its infrastructure and Cyber Security Japan to rebuild a hardened certificate-issuing infrastructure in case it had actually been breached.
“GlobalSign, with the help of Fox-IT, found no evidence that the GlobalSign certificate-issuance infrastructure was compromised. However, GlobalSign has implemented additional controls around infrastructure, customer data protection and access to all systems. It is our view that this attack is one phase of an advanced persistent threat against all security solution providers. Because the threat landscape has evolved, GlobalSign believes greater controls are necessary across the industry”, the company explained in its security report.
GlobalSign said that it maintains an offline root so that key root certificate material is not connected to any network. In addition, all issuance and internet-facing infrastructure is now monitored 24/7 through a managed intrusion detection service.