Web application security experts claim that a group of government-sponsored hackers broke into the computer systems of ICS-Forth, the organization responsible for managing domain codes in Greece. The Institute of Computer Science from the Foundation for Research and Technology (ICS-Forth) acknowledged the security incident, notifying .gr and .el web domain owners via email.
The hacker group behind this attack has been identified as Sea Turtle; the cybersecurity community has reported the activities of this group on several occasions. This group has developed a hacking approach beyond the usual because, instead of selecting victims, they focus on attacking the records of web domains and DNS providers, from where they can make some modifications to the DNS settings of a target company.
According to web application security experts, modifying DNS records for internal servers, threat actors redirect traffic destined to legitimate applications of a company or email providers to clone servers and perform Man-in-The-Middle (MiTM) attacks or intercept login credentials.
According to the investigation, the attack can last between a few hours to a full day, plus it’s really difficult to detect because most companies that provide these services don’t often pay attention to changes in DNS settings.
Although so far no security firm has decided to make any guesses about the authorship of the attacks publicly, sources close to the cybersecurity community claim that Iran’s government is responsible for sponsoring this hacker group. So far, web application security experts don’t have more details about what happened on ICS-Forth systems after hackers gained access. Although it is not yet known what the names of the compromised domains are, experts claim that the access exploited by the hackers was still available.
Specialists from the International Cyber Security Institute (IICS) believe that the activities of this hacking group are highly likely to increase in the short term.