[German]Massive cyber attacks on governments and other organizations in Europe and the Middle East have become public last year. Now a Reuters report sheds light into that. It seems that it is the work of hackers acting in the interest of the Turkish government.
Advertising
I became aware of the story here last night through the following tweet from a reporter at Reuters news agency.
A massive cyber espionage campaign, which we found so spooked US intelligence that it changed how the government handles DNS registration, was the work of hackers aligned with the Turkish government https://t.co/5jg4WFFI5W
— Chris Bing (@Bing_Chris) January 27, 2020
Reuters is now claiming to have an exclusive story, and mentioned the term "SeaTurtle" for this operation. That was the point, where something in the back of the head rang a bell.
Look back: An old blog post
I had already described the campaign, known in security circles as "SeaTurtle", in Spring 2019 in the German article Sea Turtle: Cisco Talos deckt DNS Hijacking-Kampagne auf. Cisco Talos has published details within the blog post DNS Hijacking Abuses Trust In Core Internet Service. It deals with domain hijacking attacks via DNS. And it was said that the campaign targets public and private institutions, including national security organizations, mainly based in the Middle East and North Africa. Also targets in Europe was on the agenda.
Reuters writes (after analysis of web sites) that the hackers have attacked at least 30 organizations. These include government ministries, embassies and security services, as well as businesses and other groups. Among the victims, according to Reuters, were the email services of the Cypriot and Greek governments and the Iraqi government's national security advisor.
Advertising
The campaign is expected to start as early as January 2017 and continue until the first quarter of 2019, and the Cisco Talos investigation found that at least 40 different companies in 13 different countries were at risk during the campaign. Cisco Talos is fairly certain that these attacks are being carried out by an advanced, government-sponsored actor seeking permanent access to sensitive networks and systems.
The actors behind this campaign focused on using DNA hijacking as a mechanism to achieve their goals. DNS hijacking occurs when an actor can illegally modify DNS name records to point users to servers controlled by actors. The US Department of Homeland Security (DHS) warned against this activity on January 24, 2019. An attacker can redirect users when they visit Web sites and could even obtain valid encryption certificates for an organization's domain names.
(Source: Pexels Markus Spiske CC0 License)
Reuters has new information
While Cisco Talos in his 2019 article writes only about pro-government hackers, Reuters quotes two British and one American official. According to them, the Sea Turtle cyber attacks bear the hallmarks of a state-sponsored cyber-espionage operation conducted to further Turkish interests. The sources base this conclusion on three elements:
- the identities and locations of the victims, including the governments of countries geopolitically significant to Turkey;
- similarities with previous attacks which, according to the sources, used infrastructure registered from Turkey;
- and information from confidential intelligence dossiers and assessments which Turkey probably rejects in every detail.
According to Reuters sources, it is unclear which specific individuals or organisations were responsible for the campaign. However, the sources believe that the waves of attacks were linked. Because they all used the same servers or other infrastructures.
The Turkish Ministry of the Interior declined to comment. A senior Turkish official did not directly answer questions about the campaign, but said that Turkey itself was often the victim of cyber attacks.
The Cypriot government said in a statement that "the relevant authorities were immediately aware of the attacks and made efforts to contain them". For reasons of national security, they would not comment on details.
Government sources from Athens said they had no evidence that the Greek government's email system was compromised. When I heard that sentence, I immediately thought 'hello, there was something that a blog reader from Greece told you'. Short search within my German blog revealed the article Griechenlands Top-Level Domain Registrar gehackt. There I had reported that hackers of the Sea Turtle group broke into Greece's Top-Level Domain Registrar and continued their attacks with DNS hijacking attacks. With the Greece hack, the government-sponsored group has achieved a major coup. The Iraqi government has not responded to Reuters requests. More details may be found within the Reuters article.
