A notorious state-sponsored cyber-espionage campaign has expanded its operations with new victims and DNS hijacking techniques, according to Cisco Talos.
The security vendor claimed in a new blog post that the actors behind the Sea Turtle attacks - first revealed in April - have not been deterred by their new-found infamy.
The campaign has mainly been targeting military organizations and governments in the Middle East. Attackers get hold of DNS server credentials via phishing or vulnerability exploitation, then modify the records to point users to malicious servers in classic Man in the Middle attacks. These harvest credentials enabling them to log-in to prized accounts to steal sensitive data.
The new technique in question has been spotted just twice in the wild, hitting targets in 2018.
“In this case, the actor-controlled name server and the hijacked hostnames would both resolve to the same IP address for a short period of time, typically less than 24 hours. In both observed cases, one of the hijacked hostnames would reference an email service and the threat actors would presumably harvest user credentials,” Cisco explained.
“One aspect of this technique that makes it extremely difficult to track is that the actor-controlled name servers were not used across multiple targets — meaning that every entity hijacked with this technique had its own dedicated name server hostname and its own dedicated IP address. Whereas previously reported name server domains such as ns1[.]intersecdns[.]com were used to target multiple organizations.”
Cisco Talos also observed continuing activity against the ccTLD for Greece, enabling the attackers to perform DNS hijacking against three government entities.
Although most primary target organizations are based in the Middle East, new Sea Turtle victims have been spotted in the US and Sudan. Energy companies, think tanks, NGOs and even an airport have been hit.