ICS Forth more about the hack of Greek domains gr & el

Some time ago we mentioned that παραβίασαν την ICS-Forth. Πρόκειται για την εταιρεία που διαχειρίζεται τα top-level domains της  ς δηλαδή τα γνωστά μας .gr και .el. Σύμφωνα με τις τελευταίες πληροφορίες από dealing with the case, the hackers are supported by some state,

ICS Forth, which represents the Technology and Research Foundation's Institute of Informatics, publicly acknowledged the incident in emails sent to domain owners on April 19th.

The hackers behind the breach are the same group mentioned in a Cisco Talos post in April, called Sea Turtle.

The team a relatively new approach to breaching targets. Instead of targeting victims directly, they hack or gain access to domain registrar accounts and thus manage DNS where they make changes to settings.

By modifying DNS on internal servers, they redirect traffic from a corporate law application or e-mail service to man-in-the-middle attacks and collect login credentials.

ICS Forth
Image: Cisco Talos

The attacks are short-lived, lasting from hours to days. This makes it extremely difficult to detect as most companies do not keep track of changes in DNS settings.

Reports on the activities of this group have been published from time to time by security groups FireEye, CrowdstrikeAnd Cisco Talos.. FireEye attributed the attacks to the Iranian government, while Crowdstrike and Cisco Talos have refrained from linking any governments to the attacks (until now). The American services US DHS and UK NCSC also issued security alerts for the group's new strategies.

From the above reports it appears that the Sea Turtle team usually breaches accounts with domain registrars and DNS providers, selecting after the breach accounts that belong to their targets.

In its first post, the Cisco Talos team reported that the Sea Turtle team destroyed NetNod, a data exchange hub based in Sweden that provided DNS services to ccTLD organizations - such as the Greek ICS-Forth.

Η in ICS-Forth is still shrouded in mystery

Now, in one today's post, Talos researchers say Sea Trutle hackers did not leave ICS-Forth quickly.

Talos researchers have no details on what the hackers did to ICS Forth's network after gaining access to its systems. So no one knows which domains were affected by changes to DNS settings.

But Talos investigators said the hackers retained access for another five days after ICS Forth announced the incident.

It should be noted that the attack on ICS-Forth was not the only one by Sea Turtle. Talos said it had also identified new victims in countries such as Sudan, Switzerland and the United States.

These targets – whose DNS settings were modified so hackers could intercept traffic and harvest user credentials – are government organizations, companies , think tanks, international non-governmental organizations and at least one airport.

______________

iGuRu.gr The Best Technology Site in Greecefgns

every publication, directly to your inbox

Join the 2.100 registrants.

Written by giorgos

George still wonders what he's doing here ...

Leave a reply

Your email address is not published. Required fields are mentioned with *

Your message will not be published if:
1. Contains insulting, defamatory, racist, offensive or inappropriate comments.
2. Causes harm to minors.
3. It interferes with the privacy and individual and social rights of other users.
4. Advertises products or services or websites.
5. Contains personal information (address, phone, etc.).