“Sea Turtle” DNS hijacking campaign

"Sea Turtle" DNS hijacking

Security experts warn of a new cyber threat campaign dubbed “Sea Turtle” that targets public and private organizations in the Middle East and North Africa. The ongoing operation likely lasted from January 2017 through the first quarter of this year.

Cisco’s Talos security team published information on Sea Turtle in a blog post titled ‘DNS Hijacking Abuses Trust In Core Internet Service‘ on Wednesday. As part of the investigation, Talos revealed more than 40 different entities in 13 different countries were compromised in the campaign.

Talos added with high confidence the cyber campaign was likely carried out by an “advanced, state-sponsored actor that seeks to obtain persistent access to sensitive networks and systems.”

Researchers from FireEye also identified back in January of this year a wave of DNS hijacking attacks on domains owned by government, telecom and internet infrastructure organizations around the globe.

Talos describes the future threat from such campaigns could likely have on the world’s “core internet” services:

We do not want to overstate the consequences of this specific campaign, we are concerned that the success of this operation will lead to actors more broadly attacking the global DNS system. DNS is a foundational technology supporting the Internet. Manipulating that system has the potential to undermine the trust users have on the internet. That trust and the stability of the DNS system as a whole drives the global economy. Responsible nations should avoid targeting this system, work together to establish an accepted global norm that this system and the organizations that control it are off-limits, and cooperate in pursuing those actors who act irresponsibly by targeting this system.


Moreover, the bad actors have used DNS hijacking as a means to achieve their ultimate nefarious objectives.

DNS hijacking occurs typically when the bad actor steals credentials and then gains access to modify DNS records of the targeted organization (such as via domain registrar). Once DNS records are modified, users can be pointed to the criminal’s own infrastructure, which is used to manipulate or inspect user traffic via man-in-the middle attacks. Ultimate objective is often to steal sensitive information, such as user credentials.

Readers are highly encouraged to read the entire Talos report to include the Sea Turtle DNS hijacking methodology, hijacking activity, credential harvesting, targeted victims, mitigations and much more.

Related Articles