Hackers have struck at the heart of the net with a spear phishing attack on Icann employees which gave them access to a key administrative database and other digital assets, the internet oversight body has revealed.
In a note earlier this week, Icann admitted that the attack in late November involved email messages crafted to appear as if they came from the organization’s domain.
This enabled attackers to compromise Icann staff email credentials which then gave them access to other systems, most notably the Centralized Zone Data System (CZDS).
Icann explained:
“The attacker obtained administrative access to all files in the CZDS. This included copies of the zone files in the system, as well as information entered by users such as name, postal address, email address, fax and telephone numbers, username, and password. Although the passwords were stored as salted cryptographic hashes, we have deactivated all CZDS passwords as a precaution.”
Icann recommended users change their passwords and protect other accounts which may share the same log-in credentials.
The attackers also accessed the Icann blog and WHOIS information portal, although the oversight body claimed that “no impact was found to either of these systems.”
Orlando Scott-Cowley, security strategist at email management firm Mimecast, argued that the attack could “have a significant impact on the way the internet works at a basic level.”
“We’ve known for years that the 13 root DNS servers could present the wider internet with a huge vulnerability – cobbling the way root DNS works would effectively break the internet,” he told Infosecurity.
“Although Root DNS servers are very well protected, and the processes surrounding them are strong, compromising enough links in the chain over a long period of time would give an attacker a strong chance of breaking the system.”
He added that if this is a coordinated attack, the likes of NTIA, VeriSign and IANA should be on high alert.
“Minimizing human error must involve pre-empting human nature. The technology arms race is all but won by the attackers, so now it’s up to us all to educate our users about clicking that link,” said Scott-Cowley.
“Educate them to think suspiciously, be wary, and be careful. Simply telling them not to click a link isn’t going to work, you have to train and drill them to not trust the link. And of course protect the link with technology wherever possible.”