The "ComodoHacker", who in September claimed that he had compromised Certificate Authority (CA) GlobalSign, appears to have had his exploits verified by the company — only he likely hit the wrong machines.
After the 21-year-old Iranian hacker, who went by the name "Sun Ich", made claims that he had breached GlobalSign's servers in September, the CA took its certificate-issuing services offline between 6 September and 15 September while it launched an investigation.
Overnight, it released a report into its findings.
It found that one of its web servers had been breached in an attack, and the SSL Certificate and key for www.globalsign.com had been deemed compromised. But the affected server was not actually part of its certificate-issuing infrastructure. In fact, it had nothing to do with issuing certificates.
"The www.globalsign.com domain is used only for the externally facing North American websites, and runs no web applications capable of requesting or issuing certificates, nor does it hold any customer data," the report read.
GlobalSign appeared to take no chances, however. It locked down the system in question, rebuilt the machine with a new disk and reset all of its customer accounts' passwords.
The damage matches Sun Ich's claims that he wrote on Pastebin:
"I have access to their entire server, got DB back-ups, their Linux/tar gzipped and downloaded; I even have private key of their own globalsign.com domain," he wrote in September.
But it's clear that Sun Ich hadn't reached the target that most thought he was aiming at.
We didn't find any evidence of:
- Rogue certificates issued
- Customer data exposed
- Compromised GlobalSign Root Certificate keys and associated Hardware Security Modules (HSM)
- Compromised GlobalSign Certificate Authority (CA) infrastructure
- Compromised GlobalSign Issuing Authorities and associated HSMs
- Compromised GlobalSign Registration Authority (RA) services.
Although he had promised more attacks, and planned to expand his operations globally, little has been heard from Sun Ich, with the ComodoHacker Pastebin account, which he normally posts from, remaining silent since September. That doesn't necessarily mean that he or others aren't continuing to breach CAs — the Electronic Frontiers Foundation found evidence in October that CAs were being compromised, although it chose not to name them for ethical reasons.