{
	"id": "49d876f5-5c5c-40f1-82cf-32d8f987c356",
	"created_at": "2026-04-06T02:10:46.538788Z",
	"updated_at": "2026-04-10T03:35:21.408627Z",
	"deleted_at": null,
	"sha1_hash": "1cece297fcc03325b831511f2aca4ff54a6e188d",
	"title": "Final Report on DigiNotar Hack Shows Total Compromise of CA Servers",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 45080,
	"plain_text": "Final Report on DigiNotar Hack Shows Total Compromise of CA\r\nServers\r\nBy Dennis Fisher\r\nPublished: 2012-10-31 · Archived: 2026-04-06 01:56:14 UTC\r\nThe attacker who penetrated the Dutch CA DigiNotar last year had complete control of all eight of the company’s\r\ncertificate-issuing servers during the operation and he may also have issued some rogue certificates that have not\r\nyet been identified. The final report from a security company commissioned to investigate the DigiNotar attack\r\nshows that the compromise of the now-bankrupt certificate authority was much deeper than previously thought.\r\nThe attacker who penetrated the Dutch CA DigiNotar last year had complete control of all eight\r\nof the company’s certificate-issuing servers during the operation and he may also have issued some rogue\r\ncertificates that have not yet been identified. The final report from a security company commissioned to\r\ninvestigate the DigiNotar attack shows that the compromise of the now-bankrupt certificate authority was much\r\ndeeper than previously thought.\r\nIn August 2011 indications began to emerge of a major compromise at a certificate authority in the Netherlands,\r\npreviously unknown to most of the Internet’s citizens, and the details quickly revealed that the attack would have\r\nserious ramifications. The first public acknowledgement of the attack was the discovery of a large-scale man-in-the-middle attack against Gmail users in Iran. Researchers investigating that attack discovered that the operation\r\nwas using a valid wildcard certificate, issued by DigiNotar, for *.google.com, giving the attacker the ability to\r\nimpersonate Google to any browser that trusted the certificate.\r\nIt quickly emerged that the attacker also had obtained valid certificates for a number of other high-value domains,\r\nincluding Yahoo, Mozilla and others. The browser manufacturers scrambled to revoke trust in the compromised\r\ncertificates and reassure users that the Internet was not broken. Now, the final report from Fox-IT, the Dutch\r\ncompany brought in at the time of the attack in 2011 to find the root cause and determine the extent of the damage,\r\nsays in its final report that the attack was a wide-ranging one that likely started more than a month before the CA\r\ndiscovered it.\r\n“The investigation by Fox-IT showed that all eight servers that managed Certificate Authorities had\r\nbeen compromised by the intruder. The log files were generally stored on the same servers that had\r\nbeen compromised and evidence was found that they had been tampered with. Consequently, while these log files\r\ncould be used to make inconclusive observations regarding unauthorized actions that took place, the absence of\r\nsuspicious entries could not be used to conclude that no unauthorized actions took place,” the report, which was\r\njust made public this week, says.\r\nhttps://threatpost.com/final-report-diginotar-hack-shows-total-compromise-ca-servers-103112/77170/\r\nPage 1 of 3\n\nOne of the most worrisome aspects of the DigiNotar breach at the time it leaked out was that the company not\r\nonly was a commercial CA, but it also issued government certificates, calling into question the legitimacy of those\r\ncertificates, as well. The Fox-IT report says there are some indications in their investigation that the attacker may\r\nhave issued some rogue certificates that have not been identified yet, a troubling prospect.\r\n“Serial numbers for certificates that did not match the official records of DigiNotar were recovered on multiple\r\nCA servers, including the Qualified-CA server which was used to issue both accredited qualified and government\r\ncertificates, indicating that these servers may have been used to issue additional and currently unknown rogue\r\ncertificates,” the report says.\r\nAn anonymous hacker who earlier had claimed responsibility for the attack on Comodo, another certificate\r\nauthority, said he also had executed the DigiNotar hack. In its report, Fox-IT said that there were some signs that\r\nthe same person who compromised Comodo had indeed penetrated DigiNotar, as well.\r\n“A fingerprint that was left by the intruder was recovered on a Certificate Authority server, which was\r\nalso identified after the breach of the Certificate Service Provider Comodo in March of 2011. Over the course of\r\nthe intrusion at DigiNotar, the intruder used multiple systems as proxies in order to obscure his true identity.\r\nHowever, several traces were recovered during the investigation by Fox-IT that independently point to a\r\nperpetrator located in the Islamic Republic of Iran,” the report says.\r\nDigiNotar had its network highly segmented and had a number of those segments separated from the public\r\nInternet. However, the company did not have strict enforcement of the rules on its network, something that may\r\nhave enabled the attacker to move from the Web server he initially compromised over to the servers that house the\r\ncertificate authorities.\r\n“The investigation showed that web servers in DigiNotar’s external Demilitarized Zone (DMZ-ext-net) were the\r\nfirst point of entry for the intruder on June 17, 2011. During the intrusion, these servers were used to exchange\r\nfiles between internal and external systems, with scripts that were placed on these systems serving as rudimentary\r\nfile managers,” the Fox-IT report says.\r\n“From the web servers in DMZ-ext-net, the intruder first compromised systems in the Office-net network segment\r\nbetween the 17th and 29th of June 2011. Subsequently, the Secure-net network segment that contained the CA\r\nservers was compromised on July 1, 2011. Specialized tools were recovered on systems in these segments, which\r\nwere used to create tunnels that allowed the intruder to make an Internet connection to DigiNotar’s systems that\r\nwere not directly connected to the Internet. The intruder was able to tunnel Remote Desktop Protocol connections\r\nin this way, which provided a graphical user interface on the compromised systems, including the compromised\r\nCA servers.”\r\nThe attack on DigiNotar lasted for nearly six weeks, from start to finish, according to the report, and the attacker\r\nwas using multiple systems outside and inside the network during the operation.\r\n“The investigation by Fox-IT showed that all servers that managed Certificate Authorities had been compromised\r\nby the intruder, including the Qualified-CA server, which was used to issue both accredited qualified and\r\ngovernment certificates. In total, a non-exhaustive list of 531 rogue certificates with 140 unique distinguished\r\nnames (DNs) and 53 unique common names (CNs) could be identified. The last known date for traffic that was\r\nhttps://threatpost.com/final-report-diginotar-hack-shows-total-compromise-ca-servers-103112/77170/\r\nPage 2 of 3\n\ninitiated from within DigiNotar’s network to an IP address that was presumably (ab)used by the intruder was on\r\nJuly 22, 2011. Traces of activity by the intruder in DMZ-extnet were found up to July 24, 2011,” the report says.\r\nThe attacker had complete control of the CA servers during the attack and had the ability to alter log files, which\r\nwere kept on the same servers as the CAs, and to make changes to the database. An interesting detail from the\r\nreport is that DigiNotar could not produce any records showing whether a smart card had been used to activate the\r\nprivate keys in the hardware security module that correspond to the compromised CAs. The attacker would not\r\nhave been able to issue the rogue certificates without the private keys, so he also needed to find a way to activate\r\nthem.\r\n“The private keys were activated in the netHSM using smartcards. No records could be provided by\r\nDigiNotar regarding if and when smartcards were used to activate private keys, except that the smartcard for\r\nthe Certificate Authorities managed on the CCV-CA server, which is used to issue certificates used for electronic\r\npayment in the retail business, had reportedly been in a vault for the entire intrusion period,” Fox-IT’s report says.\r\nSource: https://threatpost.com/final-report-diginotar-hack-shows-total-compromise-ca-servers-103112/77170/\r\nhttps://threatpost.com/final-report-diginotar-hack-shows-total-compromise-ca-servers-103112/77170/\r\nPage 3 of 3",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE"
	],
	"references": [
		"https://threatpost.com/final-report-diginotar-hack-shows-total-compromise-ca-servers-103112/77170/"
	],
	"report_names": [
		"77170"
	],
	"threat_actors": [
		{
			"id": "2864e40a-f233-4618-ac61-b03760a41cbb",
			"created_at": "2023-12-01T02:02:34.272108Z",
			"updated_at": "2026-04-10T02:00:04.97558Z",
			"deleted_at": null,
			"main_name": "WildCard",
			"aliases": [],
			"source_name": "ETDA:WildCard",
			"tools": [
				"RustDown",
				"SysJoker"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "256a6a2d-e8a2-4497-b399-628a7fad4b3e",
			"created_at": "2023-11-30T02:00:07.299845Z",
			"updated_at": "2026-04-10T02:00:03.484788Z",
			"deleted_at": null,
			"main_name": "WildCard",
			"aliases": [],
			"source_name": "MISPGALAXY:WildCard",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775441446,
	"ts_updated_at": 1775792121,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/1cece297fcc03325b831511f2aca4ff54a6e188d.pdf",
		"text": "https://archive.orkl.eu/1cece297fcc03325b831511f2aca4ff54a6e188d.txt",
		"img": "https://archive.orkl.eu/1cece297fcc03325b831511f2aca4ff54a6e188d.jpg"
	}
}