As if threat actors weren’t cagey enough, now they’re getting help from nation-states — at least, in the ideas department. And Craig Williams is frustrated by it.
“Nation-states are using DNS to spy on each other for espionage purposes,” said Williams, director of Talos, the threat intelligence arm of Cisco Systems. “The reason I have a big problem with that is, when you look at the way cybercrime works on the internet, the one repeatable pattern is that when a bad guy finds something new, like a new technique, to steal from someone else — well, everybody sees that and everyone thinks, ‘I’d like to try that.’ So even though the initial campaigns may be benign to the public, subsequent campaigns and copycats are probably not. And they will hurt the public, and that will hurt public trust in the whole DNS infrastructure.”
Here’s what’s happening: A group of threat actors, discovered by Talos late last year and dubbed Sea Turtle, has successfully attacked roughly 40 organizations in the Middle East and North Africa. The attack targets the Domain Name System by which organizations’ web addresses are assigned, essentially rerouting traffic from legitimate sites to dummy sites created by the hackers.
DNS Attacks Could Be Unleashed Anywhere
Williams discussed the situation in an interview during Cisco Live, the company’s massive user conference taking place in San Diego through June 13.
“Right now, it’s happening only in the Middle East and Africa,” Williams said. “So for the rest of the world, it’s not a concern yet. But those same techniques can be deployed against other countries and other registrars. It’s incredibly concerning.”
As a threat intelligence organization, Talos spends its time investigating emerging cybersecurity threats so it can inform the cybersecurity world. Williams noted that unlike other such threats, which typically exploit vulnerabilities against businesses that have failed to properly patch networks, follow security best practices or properly train staff, the Sea Turtle campaign is an attack against the internet itself.
“Imagine waking up one day, and you want to buy something, so you go to your bank,” Williams said. “You just implicitly trust that when you type in your bank’s domain, you’re on your bank’s server. What if you’re not? What if you’re on an attacker’s server, and you just gave him your user name and password?”
Williams says he’s frustrated partly by the fact that nation-states have spawned this activity, either unaware or unconcerned that their national security activities would inevitably be copied by threat actors with far more pernicious objectives. “Threat actors see this, it gives them an idea, and they’ll find a way to deploy the same techniques against civilian targets.”
Read articles and check out videos from BizTech’s coverage of Cisco Live 2019 here.