Iran-based hackers behind 'state-driven' cyberattack -report

An Internet security company suspects that Iran-based hackers are behind a "state-driven attack" fake online certificate issuances last week targeting major online portals including Google, Yahoo, Skype, Mozilla, and Microsoft. Comodo, in a March 23 fraud incident report, said that the issuances of nine fraudulent Secure Sockets Layer (SSL) certificates occurred last March 15. "The circumstantial evidence suggests that the attack originated in Iran. The perpetrator has focused simply on the communication infrastructure (not the financial infrastructure as a typical cyber-criminal might). The perpetrator can only make use of these certificates if it had control of the DNS infrastructure. The perpetrator has executed its attacks with clinical accuracy. The Iranian government has recently attacked other encrypted methods of communication. All of the above leads us to one conclusion only: that this was likely to be a state-driven attack," it said. Such certificates would have allowed an attacker to intercept encrypted data, including communications, through the targeted sites. The watchdog traced the incident to a breach in one of its affiliates, where an attacker used a hacked account to issue nine SSL certificates across seven domains. Comodo said it revoked all of these certificates immediately upon discovery. So far, the company said it has not detected any attempted use of these certificates after their revocation. The nine fraudulently issued certificates included:

• mail.google.com (Gmail), Serial: 047ECBE9FCA55F7BD09EAE36E10CAE1E
• www.google.com, Serial: 00F5C86AF36162F13A64F54F6DC9587C06
• login.yahoo.com, Serial: 00D7558FDAF5F1105BB213282B707729A3
• login.yahoo.com, Serial: 392A434F0E07DF1F8AA305DE34E0C229
• login.yahoo.com, Serial: 3E75CED46B693021218830AE86A82A71
• login.skype.com (Skype), Serial: 00E9028B9578E415DC1A710A2B88154447
• addons.mozilla.org, Serial: 009239D5348F40D1695A745470E1F23F43
• login.live.com (Microsoft), Serial: 00B0B7133ED096F9B56FAE91C874BD3AC0
• global trustee, Serial: 00D8F35F4EB7872B2DAB0692E315382FB0

Of the nine SSLs, only one of the three login.yahoo.com domains was seen live on the Internet. Comodo said neither its CA infrastructure, root keys nor other root authority (RA) were compromised, adding that only one user account in one RA was breached. "The attacker created himself a new userID (with a new username and password) on the compromised user account," Comodo said. It added the attack came from several Internet Protocol (IP) addresses, mainly from Iran. Comodo posted on its report details of the attack, including the IP Address (212.95.136.18), which was traced to Tehran. "The attacker was well prepared and knew in advance what he was to try to achieve. He seemed to have a list of targets that he knew he wanted to obtain certificates for, was able quickly to generate the CSRs for these certificates and submit the orders to our system so that the certificates would be produced and made available to him," Comodo noted. But while nine certificates were requested, Comodo "(does) not know if (the hackers) received all of these certificates" except they "definitely received one of the certificates." "All certificates were revoked immediately on discovery. Our systems indicate that when this one certificate was first tested it received a ‘revoked’ response from our OCSP responders. The site in Iran on which the certificate was tested quickly became unavailable," Comodo said. Comodo also said it immediately got in touch with the principal browsers and domain owners and alerted them to what had happened. There was a coordinated effort for a responsible disclosure, it said. All relevant government authorities were informed and involved, it added. "The RA account in question has been suspended pending on-going forensic investigation. We immediately introduced new controls in the wake of this new threat to the authentication platform," it said. — TJD, GMA News