Iranians the target of DigiNotar hack?

A growing pile of evidence suggests Iranian web users were being spied on as a result of the DigiNotar attack.

Iran

Iranian web users were the real target of the hack on Dutch certification authority (CA) DigiNotar, which resulted in over 500 fake certificates being issued, evidence has suggested.

The CA was hacked in July, leading hackers to produce a host of fraudulent SSL certificates for sites including Google.com and an MI6 website.

Trend Micro said it had "concrete evidence" suggesting the DigiNotar attack was used to spy on Iranian internet users "on a large scale."

"We found that Internet users in more than 40 different networks of ISPs and universities in Iran were met with rogue SSL certificates issued by DigiNotar," a blog post from Trend read.

"Even worse, we found evidence that some Iranians who used software designed to circumvent traffic censorship and snooping were not protected against the massive man-in-the-middle attack."

What we think...

The use of attacks at both the CA and DNS levels shows the hackers were determined, or perhaps ISPs themselves were involved.

The involvement of an ISP was suggested by an Iranian web user the same one who discovered the fake Gmail certificate that kicked off this unsavoury saga in the first place. For Iranian citizens, the situation will only fuel their fury against the Government more.

Tom Brewster, Senior Staff Writer

Trend noted a spike in the number of Iranian users who loaded the SSL certificate verification URL of DigiNotar. As DigiNotar is a Dutch authority, most of its traffic normally comes from Dutch end users, so it is odd to see any noticeable Iranian traffic coming through.

"These aggregated statistics from the Trend Micro Smart Protection Network clearly shows that Iranian internet users were exposed to a large-scale man-in-the-middle attack wherein SSL-encrypted traffic can be decrypted by a third party," Trend Micro added.

"Because of this, a third party was probably able to read all of the email messages an Iranian internet user sent with his/her Gmail account."

The security firm even found evidence suggesting Iranians using anti-censorship software could still have had their internet usage watched over.

"Closer analysis of our data revealed even more alarming facts like outgoing proxy nodes in the US of anti-censorship software made in California were sending Web rating requests for validation.diginotar.nl to the cloud servers of Trend Micro," the company added.

"This very likely means that Iranian citizens who were using this anti-censorship software were victimized by the same man-in-the-middle attack."

Meanwhile, Fox-IT, the security auditors brought in to investigate the DigiNotar hack, found that in the lookups on DigiNotar's OCSP servers, which browsers check to see if a certificate has been revoked, more than 99 per cent of queries originated from Iran during the "active attack period."

Fox-IT found almost 300,000 unique IP addresses from Iran attempted to gain access to Google services using rogue certificates from DigiNotar.

"This is the most solid evidence yet that these certificates may have been used by the Iranian government or ISPs to spy on private communications of Iranian internet users," said Chester Wisniewski, Sophos senior security advisor, in a blog post.

"Many of the other requests not originating from Iran appear to have originated via Tor exit nodes or other proxies used by Iranians to avoid censorship. This indicates that the method used to perform the man-in-the-middle attacks with these certificates likely depended on DNS poisoning at the ISPs."

Featured Resources

The ultimate law enforcement agency guide to going mobile

Best practices for implementing a mobile device program

Free download

The business value of Red Hat OpenShift

Platform cost savings, ROI, and the challenges and opportunities of Red Hat OpenShift

Free download

Managing security and risk across the IT supply chain: A practical approach

Best practices for IT supply chain security

Free download

Digital remote monitoring and dispatch services’ impact on edge computing and data centres

Seven trends redefining remote monitoring and field service dispatch service requirements

Free download

Recommended

What is a botnet?
botnets

What is a botnet?

14 Jul 2021
Nigerian cyber criminals target Texas unemployment system
cyber security

Nigerian cyber criminals target Texas unemployment system

27 May 2021
Trend Micro home network security flaws could let hackers take over PCs
Security

Trend Micro home network security flaws could let hackers take over PCs

26 May 2021
The secure cloud configuration imperative
Whitepaper

The secure cloud configuration imperative

26 May 2021

Most Popular

Best Linux distros 2021
operating systems

Best Linux distros 2021

11 Oct 2021
Windows 11 has problems with Oracle VirtualBox
Microsoft Windows

Windows 11 has problems with Oracle VirtualBox

5 Oct 2021
What is cyber warfare?
Security

What is cyber warfare?

15 Oct 2021