For at least two years, a highly capable threat actor has been running a campaign that relied on DNS hijacking to reach their targets. In the operation, at least 40 public and private organizations in 13 countries have been compromised.
The domain name system (DNS) is the service that allows us to access websites by typing domain names instead of IP addresses in a browser's address bar. It translates the names into the numerical destination of the server hosting the web page we want to load.
Access to DNS records enables an attacker to replace the addresses of a target's name servers so that they point to their own infrastructure. Once in control of the name servers responsible for handling requests for IP addresses associated with web domains, the threat actor can direct victims to content on malicious servers.
Two types of victims
Dubbed Sea Turtle, the operation made victims located primarily in the Middle East and North Africa. The main targets are ministries of foreign affairs, military organizations, intelligence agencies, energy companies. The purpose of compromising them is cyber-espionage.