Sea Turtle attackers breached Forth-ICS and attacked registry of '.gr' and '.el' domain names

• Attackers attacked the Internet Domain Registry of ICS-Forth in order to negatively impact the operation of the Internet Domain Names.
• The attack impacted several .gr and .el domain owners whose domain names were stored in the compromised registry.

Attackers breached the Institute of Computer Science of the Foundation for Research and Technology (ICS-Forth), the organization that manages Greece's top-level domain country codes of .gr and .el.

The big picture

Attackers attacked the Internet Domain Registry of ICS-Forth in order to negatively impact the operation of the Internet Domain Names. The attack impacted several .gr and .el domain owners whose domain names were stored in the compromised registry.

• Upon discovery, the organization launched an investigation on the incident and found out that the attack did not involve any personal data.
• ICS-Forth immediately changed the domain name authorization [.gr ] and [.el] in order to protect the recipients of the Internet names.
• It also changed the authorization codes for [.gr] and [.el] domain names.

Who is responsible for the attack?

Researchers from Cisco Talos determined that Sea Turtle hackers were responsible for the attack against ICS-Forth. This was confirmed after Cisco telemetry determined that Sea Turtle attackers maintained access to the ICS-Forth network from an operational command and control (C2) node.

Researchers also discovered a new actor-controlled nameserver, rootdnservers[.]com, that was previously used in the Sea Turtle campaign. The domain rootdnservers[.]com was registered on April 5, 2019, through the registrar NameCheap.

“The new actor-controlled name server rootdnservers[.]com was utilized to perform DNS hijacking against three government entities that all used .gr, the Greek ccTLD. It's likely that these hijackings were performed through the access the threat actors obtained in the ICS-Forth network,” the researchers wrote.

Domain owners notified about the incident

The organization notified all the impacted domain owners about the incident.

“The [.gr] and [.el] domain names registry was attacked against its information systems. This attack is part of a more general effort at the international level to negatively affect the operation of the Internet Name Registers. The investigation of the incident did not reveal any data leakage of personal data.

As part of the efforts of the [.gr] and [.el] domain name registry to ensure the integrity of its data and to protect the recipients of the Internet names, it immediately changed the domain name authorization [.gr ] and [.el].

Additionally, as a precautionary measure, as well as more generally for facilitating the beneficiaries, we will inform you that the process of changing the authorization codes for [.gr] and [.el] domain names will soon be modified.

If you wish to notify the new password or change it, you can contact your registrar,” the email notification read, Techblog reported.