The actors behind the “Sea Turtle” DNS hijacking campaign are not slowing down. One of their targets was the Greek ccTLD .gr.
Many actors will slow down once they are discovered. This group seems unusually brazen. It will be unlikely to be deterred going forward. Cisco telemetry confirmed that the actors behind Sea Turtle maintained access to the ICS-Forth network. The access was from an operational command and control (C2) node. Upon analysis of this operational C2 node, it was determined that they also used to access an organization in Syria. The organization was previously redirected using the actor-controlled name server.
Evidence says that threat actors researched the open-source tool PHP-Proxy. C2 node searched for both blog.talosintelligence.com and ncsc.gov.uk. According to sources, the threat actors behind Sea Turtle have been using another DNS hijacking technique.
This new technique involved modifying the target domain’s name server records to point legitimate users to the actor-controlled server. The actor-controlled name server and the hijacked hostnames would both resolve to the same IP address for a short period of time. One of the hijacked hostnames would reference an email service and the threat actors would presumably harvest user credentials. One aspect of this technique that makes it extremely difficult to track is that the actor-controlled name servers were not used across multiple targets — meaning that every entity hijacked with this technique had its own dedicated name server hostname and its own dedicated IP address.