Adversaries with Turkish Nexus Responsible for Cyber Attacks Targeting Europe and the Middle East
A series of cyber attacks beginning in early 2018 and continuing through 2019 are believed to have been carried out by threat adversaries with a nexus to the Turkish government. Approximately thirty organizations across Europe and the Middle East were affected by the operations, ranging from government ministries and agencies, private industry, and other groups:
According to two British officials and one U.S. official, the activity bears the hallmarks of a state-backed cyber espionage operation conducted to advance Turkish interests.
The officials said that conclusion was based on three elements: the identities and locations of the victims, which included governments of countries that are geopolitically significant to Turkey; similarities to previous attacks that they say used infrastructure registered from Turkey; and information contained in confidential intelligence assessments that they declined to detail.
The officials said it wasn’t clear which specific individuals or organizations were responsible but that they believed the waves of attacks were linked because they all used the same servers or other infrastructure.
What techniques did these purported nation state threat actors leverage?
The hackers used a technique known as DNS hijacking, according to the Western officials and private cybersecurity experts. This involves tampering with the effective address book of the internet, called the Domain Name System (DNS), which enables computers to match website addresses with the correct server.
By reconfiguring parts of this system, hackers were able to redirect visitors to imposter websites, such as a fake email service, and capture passwords and other text entered there.
Essentially, the initial goal of the threat activity was credential harvesting. If you are unfamiliar with the term, it is the act of tricking unsuspecting users to input their login credentials into a fraudulent web site or application. It usually starts off with a phishing email directing users to visit a web site which appears to be one the victim legitimately uses, asking them to login, and then storing the credentials for use in a later operation.
Once the attackers had amassed enough credential data, knowing average users often use the same password across multiple logins, the adversaries could then attempt to breach personal accounts - such as Twitter, Facebook, Gmail, and more - as well as their official government or business accounts. The latter being the crown jewels, although the personal accounts may also lead to additional opportunistic, targeted attacks.
What I find most alarming is certain DNS top-level domain providers were breached. The actual DNS servers themselves do not appear to have been affected but a number of organizations controlling them were compromised. Those organizations should know better, and have implemented better security controls, and security awareness.
This demonstrates how anyone can be the victim of a cyber attack.