Spear-phishing attack timing couldn’t be worse for domain name overseer
Attackers sent staff spoofed emails appearing to coming from icann.org. The organization notes it was a “spear phishing” attack, suggesting employees clicked on a link in the messages that took them to a bogus login page – into which staff typed their usernames and passwords, providing hackers with the keys to their work email accounts. No sign of two-factor authentication, then.
“The attack resulted in the compromise of the email credentials of several ICANN staff members,” ICANN’s statement on the matter reads, noting that the attack happened in late November and was discovered a week later.
With those details, the hackers then managed to access a number of systems within ICANN, including the Centralized Zone Data System (CZDS), the wiki pages of the Governmental Advisory Committee (GAC), the domain registration Whois portal, and the organization’s blog.
The CZDS gives authorized parties access to all the zone files of the world’s generic top-level domains. It is not possible to alter those zone files from within that system, but the hackers did manage to obtain information on those who are registered with the system, which include many of the administrators of the world’s registries and registrars.
In an email sent to every CZDS user, ICANN has warned that “the attacker obtained administrative access to all files in the CZDS including copies of the zone files in the system. The information you provided as a CZDS user might have been downloaded by the attacker. This may have included your name, postal address, email address, fax and telephone numbers, and your username and password.”
ICANN notes that the passwords were stored as salted hash values, rather than in plaintext, although the algorithm used is not known. It has since deactivated all pass-phrases and asked users to set new passwords. However, if CZDS users have used the same login details for other systems, the hackers could also gain access to other parts of the internet’s basic infrastructure if they can crack the hashes.
ICANN says it has found no impact on the other systems. “Based on our investigation to date, we are not aware of any other systems that have been compromised, and we have confirmed that this attack does not impact any IANA-related systems,” it stated.
While the hack is nowhere near the same level as the attack on, say, Sony that has seen gigabytes of sensitive information leaked onto the internet, it will prove extremely embarrassing to ICANN, which hopes to be handed control of the critical IANA contract next year. IANA is the ICANN-run body that manages the heart of the internet’s DNS.
It also comes as the US government revealed yesterday the process by which updates to the internet’s root zone files are done through ICANN. When changing the network addresses for the world’s top-level nameservers, the process relies on a secure email from ICANN, or a request sent through a secure web portal, a standard format change request and self-certification that ICANN has followed its own processes.
With the email addresses of staff with access to root zone records having been compromised and the hack only noticed a week later, there will be significant concern that had the hackers been luckier or if an IANA staffer – who also use icann.org email addresses – had logged in to the fake site the hackers may have gained access to the system used to make changes at the very top of the internet.
ICANN seeks to assure people that it is on top of the situation: “Earlier this year, ICANN began a program of security enhancements in order to strengthen information security for all ICANN systems. We believe these enhancements helped limit the unauthorized access obtained in the attack. Since discovering the attack, we have implemented additional security measures.”
That security program began when ICANN suffered a problem with CZDS system in April. In that case a number of users were wrongly given admin access to the system.
If there is a positive to the news it is that ICANN has matured in how it deals with security. When the organization experienced a critical failure in its application system for new top-level domains in 2012, which caused it to shut down its entire flagship program for several months, it defensively dismissed the issue as a “glitch” and infuriated thousands of companies by providing very limited information about what had happened and when systems would be back up.