The hackers behind the breach are the same group detailed in a Cisco Talos report from April, which the company named Sea Turtle.
The group uses a relatively novel approach to hacking targets. Instead of targeting victims directly, they breach or gain access to accounts at domain registrars and managed DNS providers where they make modifications to a company's DNS settings.
By modifying DNS records for internal servers, they redirect traffic meant for a company's legitimate apps or webmail services to clone servers where they carry out man-in-the-middle attacks and intercept login credentials.
Attacks are short-lived, lasting from hours to days, and are incredibly hard to detect due to the fact that most companies don't watch for changes made to DNS settings.
Reports on this hacker group's activities have been published, in order, by FireEye, Crowdstrike, and Cisco Talos. FireEye attributed the attacks to a nexus of the Iranian government, while Crowdstrike and Cisco Talos refrained from making any attribution for the attacks just yet. The US DHS and UK NCSC agencies have also issued security alerts about the group's novel tactics.
A brazen group that doesn't shy away from big targets
From the linked reports above, for most of their attacks, the Sea Turtle group usually breaches accounts at domain registrars and managed DNS providers -- accounts owned by their targets, which used them to manage DNS entries for various servers and services.
However, Sea Turtle didn't shy away from hacking an entire service provider to get what it wanted -- namely, to modify a target company's server DNS settings.
In its first report, the Cisco Talos team said the Sea Turtle group hacked NetNod, an internet exchange node based in Sweden, which, among other things, also offered DNS services for ccTLD organizations -- of the likes of ICS-Forth.
"Using this access, the threat actors were able to manipulate the DNS records for sa1[.]dnsnode[.]net. This redirection allowed the attackers to harvest credentials of administrators who manage domains with the TLD of Saudi Arabia (.sa)," Cisco Talos researchers said at the time.
Unfortunately, this time around, the Talos team doesn't have any details of what the hackers did on ICS-Forth's network after they gained access to its systems. It is still a mystery for now what were the domain names for which hackers changed DNS settings, but Talos said hackers maintained access for another five days after ICS-Forth publicly disclosed the incident.
However, the attack on ICS-Forth wasn't the only new Sea Turtle operation. Since their last report on Sea Turtle, Talos said they also identified new victims, in countries such as Sudan, Switzerland, and the US.
These targets -- whose DNS settings were modified so hackers could intercept user credentials -- are government organizations, energy companies, think tanks, international non-governmental organizations, and at least one airport.
Cisco Talos also added that the group didn't appear to have been impacted by having its operations exposed over the spring.
Researchers said Sea Turtle were busy doubling down on their attacks with new infrastructure.
"While many actors will slow down once they are discovered, this group appears to be unusually brazen, and will be unlikely to be deterred going forward," Talos said.
The world's most famous and dangerous APT (state-developed) malware