Research Saturday 5.4.19
Ep 84 | 5.4.19

Sea Turtle state-sponsored DNS hijacking


Dave Bittner: [00:00:03] Hello everyone, and welcome to the CyberWire's Research Saturday, presented by Juniper Networks. I'm Dave Bittner, and this is our weekly conversation with researchers and analysts tracking down threats and vulnerabilities, and solving some of the hard problems of protecting ourselves in a rapidly evolving cyberspace. Thanks for joining us

Dave Bittner: [00:00:26] And now a word about our sponsor, Juniper Networks. Organizations are constantly evolving and increasingly turning to multicloud to transform IT. Juniper's connected security gives organizations the ability to safeguard users, applications, and infrastructure by extending security to all points of connection across the network. Helping defend you against advanced threats, Juniper's connected security is also open, so you can build on the security solutions and infrastructure you already have. Secure your entire business, from your endpoints to your edge, and every cloud in between, with Juniper's connected security. Connect with Juniper on Twitter or Facebook. And we thank Juniper for making it possible to bring you Research Saturday.

Dave Bittner: [00:01:13] And thanks also to our sponsor, Enveil, whose revolutionary ZeroReveal solution closes the last gap in data security: protecting data in use. It's the industry's first and only scalable commercial solution enabling data to remain encrypted throughout the entire processing lifecycle. Imagine being able to analyze, search, and perform calculations on sensitive data - all without ever decrypting anything. All without the risks of theft or inadvertent exposure. What was once only theoretical is now possible with Enveil. Learn more at

Craig Williams: [00:01:52] So we've been watching, you know, DNS redirection campaigns since November of last year. We were the first company to post about DNSpionage and really notice these campaigns.

Dave Bittner: [00:02:02] That's Craig Williams. He's the Director of Outreach at Cisco Talos. The research we're discussing today is, "Sea Turtle: DNS Hijacking Abuses Trust in Core Internet Service."

Craig Williams: [00:02:13] You know, the way I tried to explain it to my wife was basically, like, you know, imagine, you know, when you first see a car, of course every car looks alike. Right? But the more you learn about them, and the more you learn about the models and the different kinds, well, all of a sudden, you're not just looking at cars, you're looking at minivans, you're looking at sports cars, you're looking at convertibles, and you notice things like different colors in the paint, and different types of mirrors, and different types of wheels. And so, really, that's what our intelligence allowed us to start to distill down.

Craig Williams: [00:02:41] And when it came down to it, we were able to definitively identify at least two different groups operating in a similar manner. And, you know, I want to be really clear here, because I've seen a lot of - I don't want to say bad reporting - but like, people who don't have enough detail to say the things that they're saying, and they want to combine these groups together. Now, the reason they want to do that is because some of our competitors basically grouped the IOCs together - which was completely understandable, right? Without the insight that we provided in the write-up, these groups could look similar to you. So we're not even saying they're wrong, we're just saying that when you look deeper, you do see definitive differences.

Dave Bittner: [00:03:18] Hmm.

Craig Williams: [00:03:19] And so, I think it's important that people actually read the post and don't just throw out, it's one group and we like it being one group. You know, it's nice when things fit in buckets in life, and I understand that everyone would like to have one bucket with all the bad things in it, but the reality is that's not how cybercrime works. Right? Attackers watch each other, they copy each other's methodologies, and they improve upon it. And what we see with Sea Turtle is really a distinct set of TTPs that's more advanced and much harder to detect than what we saw with the DNSpionage campaign.

Dave Bittner: [00:03:53] So, let's start off from the very top. I mean, in your research here, you start off describing this as a state-sponsored attack manipulating DNS systems. What leads you to believe it's state-sponsored?

Craig Williams: [00:04:06] Well, there's a couple of things. I think the primary one is the sophistication, right? The way that this attack was designed was basically almost undetectable to the target. The second one I think is really, who did they target? Right, with DNSpionage, we saw civilian, business, government targets all bundled together, right? A real grab bag-style approach. With Sea Turtle on the other hand, we see very, very different set of targets. These targets are pretty much exclusively national security, government, and military, right? So, when you look at it from that perspective, it really comes off as a pure espionage play, as opposed to one that maybe was targeting intellectual property and whatever else they could find.

Dave Bittner: [00:04:50] So, before we dig into some of the details of Sea Turtle, can you give us a quick overview - what exactly are we talking about with DNS hijacking.

Craig Williams: [00:04:58] Sure. So, (Laughs) in the post, we have a nice simple eleven-stage graphic you can follow along with...

Dave Bittner: [00:05:04] (Laughs)

Craig Williams: [00:05:04] (Laughs) So, you know, this was a long campaign. So I don't want to pretend that there was like a - this happened, this happened, this happened, this happened. It was more of phases of the attack, which is why we attempted to break that down in our graphic. So, you know, the stage one of the attack is basically the attacker gaining access to an entity. And that could be a registrar, that could be hosting provider, but a company that could allow them access to a way to update where the DNS registry pointed.

Craig Williams: [00:05:34] And so, they would compromise that facility, they would obtain credentials, they would use that to exfiltrate data - basically more credentials - and then update the DNS record. And once they had the DNS record updated through the update command, basically, they would redirect the domain to their name server. So again, another distinct difference from DNSpionage. DNSpionage would compromise name servers; Sea Turtle used their own name servers.

Craig Williams: [00:06:05] And so, think about how this looks, right? So basically, you find a way to compromise the registry, and basically access it and send the update command. You point it at the attackers' server. The attackers' name server then provides the look-up, and points at their man-in-the-middle server.

Dave Bittner: [00:06:22] Mm-hmm.

Craig Williams: [00:06:23] At no point in time would the actual target see any of this. So, this is basically attacking in a roundabout way that's literally going to bypass the target, and yet still provide you all that nice man-in-the-middle information you want.

Dave Bittner: [00:06:37] Now, when you say "target," is the target the original owner of the site that's being redirected, or is it the users of that site?

Craig Williams: [00:06:47] I would say both. Right?

Dave Bittner: [00:06:49] Okay.

Craig Williams: [00:06:49] So, let's say I'm a foreign government, right?

Dave Bittner: [00:06:51] Yeah.

Craig Williams: [00:06:51] And let's say I would really like to spy on, you know, countries nearby. Right?

Dave Bittner: [00:06:56] Okay.

Craig Williams: [00:06:56] Let's say I want to get into their national security organizations, and I want to be able to access their confidential information so that there's anything I need to be aware of, I can access that just pretty much whenever I want. So, you know, I would go to, you know, whatever the country code is, I would look up their national security agency domain, then I would figure out, oh, that's registered over at this provider that I happen to be able to access. Well, let me send the update command and let me point that domain to me, and then when the DNS lookup comes in, it goes to my server. My server then says, oh, my other server over here, that happens to look just like that national security organization's website is right here. Feel free to log in.

Craig Williams: [00:07:33] And they'll do this for a few minutes, or a day - collect credentials. And in some cases, we even saw them using those collected credentials to go back to the target server, access it, and then take out credentials in order to steal things like SSL certs and other encryption keys, so that if they wanted to impersonate, say, the VPN, it would look legitimate.

Dave Bittner: [00:07:54] Yeah, let's dig into that a little bit. I mean, because, I guess - is there a false sense of security with some of these certificates?

Craig Williams: [00:08:02] Well, so I think the problem here is that, you know, people have an implicit trust of DNS, right? Now, when we looked at DNSpionage, they were only using self-signed certificates, right? And so if you looked at your browser window, the little lock wouldn't look right, and you should be like, hmm, do I really want to enter my password?

Dave Bittner: [00:08:19] Right.

Craig Williams: [00:08:21] Now, the reality is nobody checks that. Right? Like, maybe there's eleven of us

Dave Bittner: [00:08:24] (Laughs) Right.

Craig Williams: [00:08:26] (Laughs) But it's not common. And so, I think what we saw with Sea Turtle was the sophistication to not only try to bypass that, but to also make sure that they could access any traffic that should have been encrypted. Right? And so, you know, it's a next level of sophistication. And again, they didn't do this all the time, but we did see it, and I think it's an example of how sophisticated this can be. And if you look at the number of areas attacked, right? I mean, it was a very specific group.

Craig Williams: [00:08:56] You know, and even recently, there was a post over the weekend about the Greece ccTLD being targeted. So, this isn't stopped. And this is one of the things that I think is the most fascinating about this. I would say, like, what, ninety-five-plus percent of nation-state attacks - well, the second any of those IOCs become public, they tend to stop.

Dave Bittner: [00:09:16] Mm-hmm.

Craig Williams: [00:09:16] Right? And we can look back at things like a VPNFilter, you know, things like NotPetya. Once it became public, or once the thing happened, they stopped. Right? We know for a fact that when our DNSpionage write-up went out, some of our competitors grouped some of these IOCs together, and effectively showed off pieces of the Sea Turtle campaign without knowing what they'd actually found.

Dave Bittner: [00:09:40] Hmm.

Craig Williams: [00:09:40] Now, think about that from the APT perspective, right? I, as a country attacking other nation-states, just had, you know, my campaign revealed, and it was misattributed to another country.

Dave Bittner: [00:09:52] Hmm.

Craig Williams: [00:09:53] It's basically like giving them a get-out-of-jail-free card, right?

Dave Bittner: [00:09:56] Right, that's a good day for me.

Craig Williams: [00:09:58] Yeah, that's a great day, right? I just go change my TTPs, I come back in a week, and I can continue on. Meanwhile, everything I've done up until this point, I just got a pass on.

Dave Bittner: [00:10:08] Hmm.

Craig Williams: [00:10:08] Now, the weird part here is they didn't stop and they didn't change.

Dave Bittner: [00:10:11] So there's a brazenness to this?

Craig Williams: [00:10:13] Absolutely, and it's something that we don't see every day. So it's concerning when you look at it from that perspective, because it really leaves you with the thought of, what would it take to dissuade this actor?

Dave Bittner: [00:10:25] Right.

Craig Williams: [00:10:25] Because we can't allow people to attack things like DNS. Right? We can't allow countries to wipe other countries off the Internet.

Dave Bittner: [00:10:34] Mm-hmm.

Craig Williams: [00:10:35] You know? I mean...

Dave Bittner: [00:10:35] Well, yeah, I mean, to that point, just this morning as we record this, there was a story from CyberScoop that Admiral Robert Strayer from - he's a deputy assistant secretary of state. He said that "one of the norms is disrupting physical infrastructure providing services to the public, and I think that fully encapsulates the Internet's DNS function."

Craig Williams: [00:10:57] Absolutely. And that kind of thing should be off limits. Right? We don't condone people carpet bombing cities. You know, that's clearly off limits.

Dave Bittner: [00:11:07] Mm-hmm.

Craig Williams: [00:11:07] And I think we need to reach a point where we all agree that there are things - because the Internet is such a driver of the global economy - that should be off limits. You shouldn't be able to tamper with an entire country's DNS. Right? If nation-states want to spy on each other, we all know that's going to happen. But let's agree that if you're going to spy on each other, do so in a way that it doesn't damage the fundamental trust in DNS which could affect global economies.

Dave Bittner: [00:11:31] Let me ask you about that, because if I'm running a man-in-the-middle here - let me play devil's advocate - if I'm running the man-in-the-middle here, and the folks who are going to use this service are able to still use - log onto this website and do the things that they want to do, in the ways that they do them, how is this monkeying with DNS really breaking anything? Do you follow my line of thinking there?

Craig Williams: [00:11:57] Well, absolutely. Well, let's think about most users use passwords. Right? (Laughs)

Dave Bittner: [00:12:01] Yeah.

Craig Williams: [00:12:01] You know, how many passwords do you think your mom has?

Dave Bittner: [00:12:03] Oh... (Laughs)

Craig Williams: [00:12:04] You can see my point.

Dave Bittner: [00:12:08] Yes. I think you can hear the answer...

Craig Williams: [00:12:10] (Laughs)

Dave Bittner: [00:12:10] ...In my exasperated sigh. Yeah.

Craig Williams: [00:12:12] You know, and so, you know, when I - I got a lot of critical feedback on this one. More so than usual...

Dave Bittner: [00:12:18] Really?

Craig Williams: [00:12:17] ...Because people have very strong emotions around DNS.

Dave Bittner: [00:12:21] Yeah.

Craig Williams: [00:12:22] And so, one of the things we suggested was like, if your registrar allows it, you know, turn on a registry lock. It is the same advice we gave back when Kaminsky was talking about the DNS cache poisoning. And I had somebody, you know - I don't know, maybe frustrated or angrily - tell people that that's just a Band-Aid. And my response was like, so what? Right? Like, if I'm bleeding out of my arm, wouldn't I rather put a Band-Aid on it than just let dirt and gunk get in there and get all infected?

Dave Bittner: [00:12:49] Hmm.

Craig Williams: [00:12:49] You know, we're not saying that there's a perfect solution here. We're saying there's a series of things that you can do - let's call it first aid - that will help. Right? It may not solve the solution, right? If somebody decides to chop your arm off, yeah, a Band-Aid's not really gonna help. But if they're just collecting, you know, tiny cuts - yeah, maybe it'll help. So, you know, I think there's a couple of things to do, right? The first one is just simply patch. You know, we listed a list of CVEs that we know this actor was using to compromise systems in order to update records.

Dave Bittner: [00:13:19] Mm-hmm.

Craig Williams: [00:13:18] Patching those is easy. Right? Now, the second thing - let's assume this is a sophisticated actor, right? They're going to find a way in. They're just going to, from what we've seen. They're very tenacious. So, okay, let's assume they can get in. Well, what can you do? Well, I think the first thing is have two-factor authentication turned on. Right? I mean, in this day and age, you need two-factor authentication to log into Twitter and Facebook from different computers. Right?

Dave Bittner: [00:13:42] Right.

Craig Williams: [00:13:43] That's great. Everybody knows how to use it now. My mom can use two-factor. So if you haven't turned on two-factor, particularly if you're a TLD that doesn't support registry locks or things like that, or maybe you have a really, really simple and easy to bypass one where you just click a button, you know, or you can allow somebody to just turn it off from logging in - yeah, turn on two-factor. There's there's no reason not to anymore. It's pretty cheap. You know, you can probably do it for free with Google Authenticator or, you know, let me plug the shell out lots of money for Duo, because it's the best and it's super cool.

Dave Bittner: [00:14:15] (Laughs) Okay, Craig.

Craig Williams: [00:14:18] (Laughs) But, you know, there's things like that, that are not hard to do, and it's relatively easy. You know, I - you know, I'm saying this with two of the CVEs being Cisco CVEs - but, you know, I know updating a switch sucks. It's not fun, right? But do so. Please.

Dave Bittner: [00:14:35] Well, let me continue down this path of being devil's advocate though, because I think, using the analogy of, you know, carpet bombing neighborhoods, or like, I think of like shutting down a hospital - you know, we generally agree that hospitals are off limits. But it seems to me that in this case, the monkeying that they're doing with with DNS in this case isn't taking sites offline. They're using it as a means to get the information they want, rather than being an agent of destruction or chaos.

Craig Williams: [00:15:05] Correct. Right now, they are being downright surgical.

Dave Bittner: [00:15:09] Mm-hmm.

Craig Williams: [00:15:10] Now, what do we know about attacks on the Internet, right? I would argue every single time someone finds a clever way to string together attacks to accomplish a goal, every bad guy - you know, it's that turn-your-head meme and whistle, or whatever - every bad guy sees that, and is like, man, I'd really, really love to do that, to blah blah blah blah.

Dave Bittner: [00:15:28] Mm-hmm.

Craig Williams: [00:15:28] And so, our concern here is that, right now, this actor is being surgical. What happens when they decide not to be? What happens when they decide to, say, you know, take Syria off the Internet? Right?

Dave Bittner: [00:15:41] Right.

Craig Williams: [00:15:41] Or what happens when somebody tries to copycat this, only they're not as sophisticated, and they accidentally end up erasing a bunch of stuff at a registry, or just knocking over servers or, you know, who knows? Right? There's a lot of ways this could go wrong accidentally. There's a lot of ways this could be abused to take entire ccTLDs and things like that offline. There's a lot of ways - I mean, you know, imagine if you just went in and updated random records to random websites, just to cause chaos.

Dave Bittner: [00:16:09] Right.

Craig Williams: [00:16:09] I mean, there's a lot of really bad stuff this actor could have done if they wanted to be destructive, and they didn't. So, we know right now that this actor is basically executing on a mission, and that mission appears to be very specific right now. Now, the concern is, what happens if that mission statement changes, and what happens when somebody else copies this methodology to accomplish different missions?

Dave Bittner: [00:16:33] Mm-hmm.

Craig Williams: [00:16:32] And the other interesting thing to notice is, if you look at the things that were hijacked - like with the, you know, the Swedish consulting firm - they hijacked the mail subdomain. Right?

Dave Bittner: [00:16:46] Mm-hmm.

Craig Williams: [00:16:46] And so obviously you're thinking, why would they do that? Oh right. Because it would pass the passwords most likely in the clear. The same reason they target the VPN endpoints. This actor is targeting credentials, because that will give them access to the actual national security service servers, and then presumably they go back to that whole espionage thing. So, right now it's surgical.

Dave Bittner: [00:17:08] Mm-hmm.

Craig Williams: [00:17:07] It doesn't have to stay that way.

Dave Bittner: [00:17:11] So, in terms of coming at this, I mean, it strikes me that obviously you have - preventing them from being able to do this, and this is what we've just talked about - using multi-factor, using, you know, locking down your DNS records - is the other half of that political, of establishing social norms? I mean, do we have treaties for cyberspace, where we say, these are the things we will not do?

Craig Williams: [00:17:37] I think we've got to start considering that. You know, I think we're clearly seeing nation-state attacks escalate against other nation-states. We've clearly seen a trend of certain actors who don't play well on the Internet not care if they cause, say, the Olympics to go down, or entire countries to be wiped off the Internet. That can't be acceptable. Right? We've got to find a way to send a message, without destroying innocent bystanders.

Dave Bittner: [00:18:06] Obviously this is a sophisticated group, but like you said, the methods here would be accessible to, you know, the script kiddie in their basement who could inadvertently cause a lot of damage. And I suppose that's part of the issue here, is that there's a capability to be disproportional in the amount of damage you can cause, relative to your, I guess, skill level.

Craig Williams: [00:18:32] Absolutely. You know, and unfortunately, yesterday, when we released the Karkoff malware update for DNSpionage, we did tie it back to the APT34 dump with some tools that would allow someone to do simplistic hijacking. Again, we don't believe that that's linked to Sea Turtle, but we've already seen tools that are similar to what was used in the Sea Turtle campaign leaked publicly, as of last week. So, I think this type of abuse is only going to continue. I think, you know, as people in the security industry, we've got to sit back and realize DNS is not as secure as we'd like. And then with that in mind, let's start figuring out what Band-Aids we have available and where we can put them, and then figure out what are the other risks, and start taking steps to mitigate those.

Dave Bittner: [00:19:19] Does this prompt a fundamental relooking at how DNS works and how we can better secure it? Or is it too late to graft on new security measures?

Craig Williams: [00:19:30] (Laughs) You know, grafting on security after the fact is always super successful.

Dave Bittner: [00:19:33] Well, I know. (Laughs

Craig Williams: [00:19:36] (Laughs) I think it's always good to sit back and take another look. Right?

Dave Bittner: [00:19:39] Yeah.

Craig Williams: [00:19:39] We learn new things and we see new clever ways to manipulate things all the time. And so, I think, you know, yeah. Let's sit back and look at DNS, you know, think about, can we improve anything here? Can we bolt on security? Right? And if we can, and we can improve something, that would be great. You know, I think we've gotta though at the same time realize that maybe we can't bolt on more security. So what could we do around this to help secure it? Right? Like, what other options do we have available? I think you've really got to look at it from all angles, because a lot of the time when you see people abuse these type of things, you don't notice all the potential avenues for abuse. And I think really the only thing that really reveals those is time.

Craig Williams: [00:20:18] I mean, if we look back at - you know, I hate to pick on Microsoft, but if we look back on MSRPC and SMBv1, I mean, for a period of years, we would see a new way to abuse it or evade it just about every six months. Right? I remember being able to take a Metasploit attack that would be like a 2K pcap, and you could literally fragment it until the connection would almost timeout. I mean you could end up with hundreds of megs of a single attack.

Dave Bittner: [00:20:43] So, I mean, in terms of the big picture, in terms of of the take-homes and actions people should be taking to protect themselves, what are your recommendations?

Craig Williams: [00:20:53] Well, I think the first thing is to figure out, you know, are you potentially the target of a nation-state actor that wants to have - continue their espionage activities in Northern Africa or the Middle East? If you are, you should immediately turn on two-factor authentication, and do a site-wide password reset.

Craig Williams: [00:21:08] I think the second thing everyone needs to do is make sure that their infrastructure is patched. Go talk to their providers, go talk to the people who they buy their domains from, and make sure that those systems are patched. Make sure that if you can turn on things like a registry lock and ensure out-of-bands communications, you do so. You know, go make sure that you're using two-factor on those sites, that you're using unique passwords everywhere you can.

Craig Williams: [00:21:30] And realize that, hey, my domain might get hijacked - can I detect that? Do I have the tools in place to detect that. Do I have a system to tell me if someone starts generating self-signed certificates and is using it around the Internet, you know, representing me?

Craig Williams: [00:21:44] And so, look for things like that. Think out of the box. And I think, really, it's going to come down to, you know, are you potentially the target of a nation-state attack? You know, nation-state attacks don't typically target Steve's website, right?

Dave Bittner: [00:21:57] Mm-hmm.

Craig Williams: [00:21:57] Or home hobbyists. These are going to be large corporations, or government or military entities. I think people need to realize that this actor is not stopping. This is going on today. I think this will continue to go on. I think, while people would love to group it into one thing, we're going to continue to see other attackers adopt these methodologies because they're so effective. So I would urge people to keep an open mind and not jump at attribution. It's easy to plant false flags, you know, and I think attribution really is something that needs to be done carefully.

Dave Bittner: [00:22:31] Our thanks to Craig Williams from Cisco Talos for joining us. The research is titled, "Sea Turtle: DNS Hijacking Abuses Trust in Core Internet Service." We'll have a link in the show notes.

Dave Bittner: [00:22:42] Thanks to Juniper Networks for sponsoring our show. You can learn more at, or connect with them on Twitter or Facebook.

Dave Bittner: [00:22:53] And thanks to Enveil for their sponsorship. You can find out how they're closing the last gap in data security at

Dave Bittner: [00:22:59] The CyberWire Research Saturday is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technology. The coordinating producer is Jennifer Eiben. Our cyber wire editor is John Petrik. Technical editor, Chris Russell. Our staff writer is Tim Nodar. Executive editor, Peter Kilpe. And I'm Dave Bittner. Thanks for listening.