Hackers break into the administrator of large Greek domain names

ICS-Forth, an organisation that manages large Greek domain names, has been the victim of a hack. The hackers behind the attack belong to a group that Cisco Talos described in April: Sea Turtle.

ICS-Forth admitted the security incident in e-mails that it sent to domain owners on 19 April, according to ZDNet. It is possible that the attacks were sponsored by a foreign state.

The hacker group, Sea Turtle, is using a fairly new way of attacking targets. They are not aiming their arrows directly at their victims, but are trying to gain access to accounts with domain administrators and managed DNS providers. They then adjust a company’s DNS settings.

That way, hackers can redirect traffic intended for a company’s legitimate apps or webmail services to cloned servers. This is where man-in-the-middle attacks are carried out and login data are intercepted. The attacks are often short in duration and are not noticed, because companies do not pay attention to changes in the DNS settings.

Hacking Providers

Typically, the Sea Turtle Group attacks accounts with domain administrators and DNS providers. Those accounts are the property of their targets. But the group has also attacked a full service provider before, in order to change the DNS settings of a company it had in mind.

This was NetNod, an Internet exchange node in Sweden. NetNod also offers DNS services for ccTLD organisations, such as ICS-Forth. By hacking NetNod, the group was able to adjust DNS settings for sa.dnsnode.net. This allowed them to steal the login details of administrators who manage domains with the Saudi Arabia TLD.

So now the group has carried out a similar attack, but against ICS-Forth. Talos security researchers have described the attack in a report. Unfortunately, no details are known about what the hackers on the ICS-Forth network did after they were granted access.