“Sea Turtle” redirects legitimate websites to attack the core of the internet

A new cyber threat campaign was discovered by TALOS – the security and intelligence group that creates threat intelligence for CISCO. The campaign threats both private and public entities, including national security organizations. According to TALOS’ experts, at least 40 organizations from 13 countries were compromised due to this attack. They believe that through this activity, the initiator was seeking to access sensitive networks and systems. Of course, as you are probably a user of Bit Guardian Web Safe (available for Mac), you are safe, but you still need to be informed.

The attackers used a DNS (Domain Name System – the system that converts the names of any website into the IP address of that webpage) hijacking mechanism in order to guide users to the servers they control. The first alert on this attack was issued in January. According to TALOS, there were two different groups of victims:

1. The primary victims were national security organizations, ministries of foreign affairs and important energy organizations. In order to obtain access, the attackers targeted entities that provide services for these organizations.

2. DNS registrars, telecom companies and internet providers.

The Sea Turtle campaign is considered to be more dangerous than the DNSpionage, reported in November 2018, as it is targeting various DNS registrars and registries.

Based on this conclusion, CISCO encourages all organizations to take the necessary steps for minimizing the possibility of malicious actors to duplicate this method, as the attackers are considered to be very sophisticated.

The attackers established means to control the DNS records of the targets, then modified them to direct the users to the servers they controlled and then stole the usernames and passwords when the legitimate users interacted with the servers controlled by hijackers.