Sea Turtle hackers head to the Mediterranean, snag Greece's TLD registrar as a souvenir

Miscreants notorious for hijacking traffic to victims' servers by changing their DNS records have been accused of hacking a top domain-name registrar in Greece.

The team at Cisco Talos believes the Sea Turtle group was responsible for an April cyber-break-in at ICS-Forth, the company that manages the .gr top-level domain for Greece. The hackers maintained access for a period of at least five days.

"Cisco telemetry confirmed that the actors behind Sea Turtle maintained access to the ICS-Forth network from an operational command and control (C2) node," Talos researcher Paul Rascagneres explained earlier this week.

"Our telemetry indicates that the actors maintained access in the ICS-Forth network through at least April 24, five days after the statement [that ICS-Forth had been hacked] was publicly released.

"Upon analysis of this operational C2 node, we determined that it was also used to access an organization in Syria that was previously redirected using the actor-controlled name server ns1[.]intersecdns[.]com. This indicates that the same threat actors were behind both operations."

Getting into a domain registrar would be a big win for Sea Turtle, as the group's favored hacking technique involves hijacking the DNS entries for their targets' domain names and subdomains to redirect people's connections to hacker-controlled servers. Users think they are connecting to the under-attack organization's servers as normal, but are instead connecting to Sea Turtle's systems, that masquerade as legit sites, and handing over their login credentials to scumbags.

Indeed, the Talos team reports that shortly after the ICS-Forth intrusion took place, two Greek government organizations fell victim to DNS hijackings.

The attacks would have occurred at roughly the same time Cisco Talos was introducing the world to Sea Turtle and its methods for hacking government and corporate networks without ever having to target their servers or network appliances. While the group was initially focused on the North Africa and Middle East regions, since April the operation has expanded not only to Greece, but also to targets in Switzerland, Sweden, and the US.

The groups in Sea Turtle's crosshairs had mostly been government organizations, political think tanks, and international NGOs, though the Talos team notes that some energy companies and at least one airport were also targeted.

Talos recommends that companies worried about attacks add multi-factor authentication to their registrar accounts, to prevent crooks socially engineering their way into domain settings, and implement DNSSEC. ®