The internet probably wouldn't have entered the many facets of people's everyday lives as quickly as it did if it weren't for DNS. Imagine having to remember many IPv4 addresses in your head. For example, an IP address associated with Venafi.com is 18.104.22.168. IPv6 addresses are hexadecimal and even trickier for people to use! 2001:0db8:0000:0042:0000:8a2e:0370:7334 is an example. Ouch! Yes, we will someday get to a point where IPv6 addresses are more common than IPv4 addresses. Really.
Sure, these days we don’t have to type internet addresses out as frequently as we did in the 1990s and 2000s. The web is probably the most common way that ordinary people use domain names, and web browsers have had auto-complete functionality in the address bar for several years now. If people had to type 22.214.171.124 to get to Yahoo! back in 1997, we may have never had Friendster! But I digress...
For as useful as DNS is at making most internet services more user-friendly, the development of its security has lagged behind that of many other networking technologies. And there's a nation-state advanced persistent threat (APT) called Sea Turtle which has taken full advantage of that weakness.
How Sea Turtle got out
All the public buzz about the Sea Turtle group’s attacks started on January 22 with an emergency directive issued by Christopher Krebs, Director of the Cyber Security and Infrastructure Security Agency (CISA), a unit within the US Department of Homeland Security:
According to a January 24 alert from CISA, “The National Cybersecurity and Communications Integration Center (NCCIC), part of the Cybersecurity and Infrastructure Security Agency (CISA), is aware of a global Domain Name System (DNS) infrastructure hijacking campaign. Using compromised credentials, an attacker can modify the location to which an organization’s domain name resources resolve. This enables the attacker to redirect user traffic to attacker-controlled infrastructure and obtain valid encryption certificates for an organization’s domain names, enabling man-in-the-middle attacks.”
By illicitly modifying the name records on DNS servers, Sea Turtle can redirect domain name traffic to perform further cyber attacks. For example, if my endpoint was using a DNS server that Sea Turtle compromised, instead of "Venafi.com" directing to Venafi's authentic web servers at 126.96.36.199, my web browser could be directed to the cyber attacker's web server. The cyber attacker's website could perform further attacks on my endpoint, compromising the confidentiality and the integrity of my data.
DNS attacks are no laughing matter. One of the most notorious cyber attacks in recent memory, the Mirai botnet attacks, slowed or stopped internet access for most of the eastern United States in October 2016. Mirai’s bots were mainly compromised routers and IoT devices, and they DDoS attacked DNS servers associated with Dyn and French telecom OVH. Millions and millions of people and businesses relied upon those DNS servers. They were relatively lucky that they just couldn’t use domain names for a while, because being redirected to a cyber attacker’s internet server is arguably worse.
A state sponsored APT
The Department of Homeland Security and Cisco Talos are confident that Sea Turtle is a state-sponsored APT, based on the scale and scope of their attacks, and also based on their choices of targets. Sea Turtle’s primary targets are in Eastern Europe, North Africa, and the Middle East, including Albania, Cyprus, Lebanon, Libya, Egypt, Turkey, Armenia, Syria, Iraq, Jordan, and the UAE. Their secondary targets are in Sweden and the United States. These targets have ranged from large private sector entities to large public sector entities which include national security organizations and other government agencies.
Sea Turtle's objective appears to be to obtain persistent access to sensitive networks and systems. They want to infiltrate intelligence agencies, sensitive government data, and large private industries. This particular DNS server attack operation may have started as early as January 2017, and has carried on through the first few months of 2019.
“This campaign of attacks is highly likely to have serious consequences,” warns Broderik Perelli-Harris, Venafi Senior Director Solution Architects, EMEA. “The impact of hijacking of the top-level domains—and the encrypted communication streams connected with them—is hard to overstate.”
Targeting machine identities to subvert encryption
Perelli-Harris continues, “By attacking the Machine Identities, Sea Turtle was able to subvert the encryption controls that underpin all of the traditional cyber defence technologies. We don’t know which communications have been intercepted, but it’s not hard to imagine extremely sensitive political, military and commercial data flowing through these channels.”
Which nation state is sponsoring Sea Turtle? Which specific corporations and government organizations have they attacked? That’s not public knowledge yet, so we can only speculate at this point. Perhaps that information is confidential for now because publicly revealing the exact entities which are involved may tamper the investigation. Who knows.
Websites are being spoofed in order to acquire credentials and passwords for greater access to Sea Turtle’s targets. That data most certainly includes machine identities such as TLS certificates. Venafi-sponsored research has identified an increase in web spoofing which uses HTTPS and illegally acquired TLS certificates. HTTPS is no guarantee of a safe website these days, and securing the public key infrastructure of internet servers is more important than ever.
DNS security lags
A major factor in the success of Sea Turtle's attacks is how DNS security has lagged behind the security of other internet technologies. Experts like Paul Kocher recommend that DNS providers implement DNSSEC, which stands for Domain Name Server Security Extensions. It's a suite of specifications designed to cryptographically sign data to verify that DNS data is valid. But Kocher says that DNSSEC implementation been a lengthy process. "The transition to DNSSEC has taken 20 years, but it's plodding along and making a difference. A lot of us are used to working on internet company time, where you get an idea, do a markup and it's in release in six months."
“This attack shines a very bright spotlight on how we secure DNS servers and other core infrastructure,” observes Perelli-Harris. “It also directly draws attention to how we manage and protect machine identities that control the flow of sensitive data between machines. Active monitoring of DNS and public certificates is the only way to protect enterprises and government from these kinds of attacks.”
Proper DNSSEC implementation can detect malicious DNS record changes, indications of compromise of attacks like the ones Sea Turtle has engaged in. Organizations which operate DNS servers will need to figure out why DNSSEC implementation is taking so long so they can overcome those challenges. They'd better hurry up, because state-sponsored APTs like Sea Turtle sure aren't slowing down.