Sea Turtle: Sea Turtle has been tied to another DNS attack, this time compromising ICS-Forth, the organization which manages Greece’s top-level domains of .gr and .el. The breach was discovered in April by ICS-Forth just after the initial report of Sea Turtle’s major campaign. Sea Turtle takes a novel approach to DNS hijacking. The group targets domain registrars where they can then modify DNS settings for a wide range of companies all at once. While the attacks are not typically very long, ending within days of the initial intrusion, they do tend to go unnoticed by many companies because few pay attention to changes made to DNS settings. This latest victim has seen a new group of addresses being used by the group for man in the middle attacks including 95[.]179[.]131[.]225, 140[.]82[.]58[.]253, and 95[.]179[.]156[.]61, as well as four new nameservers which are controlled by Sea Turtle:ns1[.]rootdnservers[.]com IP Address 45[.]32[.]100[.]62, ns2[.]rootdnservers[.]com IP Address 45[.]32[.]100[.]62, ns1[.]intersecdns[.]com IP Address 95[.]179[.]150[.]101, and ns2[.]intersecdns[.]com IP Address 95[.]179[.]150[.]101.
Sea Turtle Breaches Greece’s Top Domain Registrar
July 16, 2019