Traffic under threat: Sea Turtle hackers are hacking the domains of individual regions

19 April 2019

A group of hackers calling themselves Sea Turtle has launched a massive DNS hijacking campaign. Cybercriminals can hijack top-level domains belonging to certain countries.

Cybersecurity experts at Talos have discovered several cases of DNS hijacking by hackers. Sea Turtle has already attacked 40 organizations, including Internet service providers, telecom companies and domain name registrars.

As experts suggest, the main purpose of the criminals - the government agencies. In particular, we are talking about the ministries of foreign affairs, defense and energy companies, as well as intelligence agencies. The majority of victims of cybercriminals are in the Middle East and North Africa.

According to some reports, cybercriminals have already managed to hack the top-level domains of some regions.

Трафик под угрозой: хакеры из Sea Turtle взламывают домены отдельных регионов

American magazine Wired writes that all traffic passing through compromised domains is under potential threat.

Hackers are using DNS query hijacking. This method is called a proxy attack. Fraudsters were able to manipulate the data exchanged by the parties without their knowledge. This is how cyberspies had access to the correspondence and traffic of their victims.

How does DNS hijacking work? You will understand it in a moment. When the user enters the site, the request goes to the DNS service. It's responsible for a specific IP address. Hackers can break this chain and redirect the user to the IP address they want.

Talos expert Craig Williams says that the system of DNS hijacking by cybercriminals in general undermines trust on the Web.

So far, experts have not been able to determine the geographical origin of Sea Turtle hackers. The Armenian .am domain was found to be at risk, with Turkey, the UAE, Cyprus, Iraq, Lebanon, Syria and Armenia among the "targets.