{ "id": "c452e73e-1e2f-458a-ace1-b1bd8ba08466", "created_at": "2026-04-06T00:13:33.318881Z", "updated_at": "2026-04-10T03:32:26.650547Z", "deleted_at": null, "sha1_hash": "3e64e115d08c0deb6f54d35e63e936e7995b7687", "title": "Sea Turtle keeps on swimming, finds new victims, DNS hijacking techniques", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 245253, "plain_text": "Sea Turtle keeps on swimming, finds new victims, DNS hijacking\r\ntechniques\r\nBy Paul Rascagneres\r\nPublished: 2019-07-09 · Archived: 2026-04-05 15:43:13 UTC\r\nTuesday, July 9, 2019 10:55\r\nBy Danny Adamitis with contributions from Paul Rascagneres.\r\nExecutive summary\r\nAfter several months of activity, the actors behind the \"Sea Turtle\" DNS hijacking campaign are not slowing\r\ndown. Cisco Talos recently discovered new details that suggest they regrouped after we published our initial\r\nfindings and coverage and are redoubling their efforts with new infrastructure. While many actors will slow down\r\nonce they are discovered, this group appears to be unusually brazen, and will be unlikely to be deterred going\r\nforward.\r\nAdditionally, we discovered a new DNS hijacking technique that we assess with moderate confidence is connected\r\nto the actors behind Sea Turtle. This new technique is similar in that the threat actors compromise the name server\r\nrecords and respond to DNS requests with falsified A records. This new technique has only been observed in a few\r\nhighly targeted operations. We also identified a new wave of victims, including a country code top-level domain\r\n(ccTLD) registry, which manages the DNS records for every domain uses that particular country code, that access\r\nwas used to then compromise additional government entities. Unfortunately, unless there are significant changes\r\nmade to better secure DNS, these sorts of attacks are going to remain prevalent.\r\nhttps://blog.talosintelligence.com/sea-turtle-keeps-on-swimming\r\nPage 1 of 6\n\nNew DNS hijacking technique\r\nTalos now has moderate confidence that the threat actors behind Sea Turtle have been using another DNS\r\nhijacking technique. This new technique has been used very sparingly, and thus far have only identified two\r\nentities that were targeted in 2018, though we believe there are likely more.\r\nThis new technique once again involved modifying the target domain's name server records to point legitimate\r\nusers to the actor-controlled server. In this case, the actor-controlled name server and the hijacked hostnames\r\nwould both resolve to the same IP address for a short period of time, typically less than 24 hours. In both observed\r\ncases, one of the hijacked hostnames would reference an email service and the threat actors would presumably\r\nharvest user credentials. One aspect of this technique that makes it extremely difficult to track is that the actor-controlled name servers were not used across multiple targets — meaning that every entity hijacked with this\r\ntechnique had its own dedicated name server hostname and its own dedicated IP address. Whereas previously\r\nreported name server domains such as ns1[.]intersecdns[.]com were used to target multiple organizations.\r\nIn one case, a private organization primarily used a third-party service as their authoritative name server. Then, for\r\na three-hour window in January 2018, their name server records were changed to a name server hostname that\r\nmimicked a slightly different version of the organization's name. During that three-hour window, the actor-controlled IP address hosted three hostnames, the two actor-controlled name servers and the webmail hostname.\r\nThis would allow the threat actors to perform a man-in-the-middle (MitM) attack, as outlined in our previous post,\r\nand harvest credentials. This technique was also observed against a government organizations in the Middle East\r\nand North African region.\r\nContinued activity against ccTLD\r\nThe Institute of Computer Science of the Foundation for Research and Technology - Hellas (ICS-Forth), the\r\nccTLD for Greece, acknowledged on its public website that its network had been compromised on April 19, 2019.\r\nBased on Cisco telemetry, we determined that the actors behind the Sea Turtle campaign had access to the ICS-Forth network.\r\nCisco telemetry confirmed that the actors behind Sea Turtle maintained access to the ICS-Forth network from an\r\noperational command and control (C2) node. Our telemetry indicates that the actors maintained access in the ICS-Forth network through at least April 24, five days after the statement was publicly released. Upon analysis of this\r\noperational C2 node, we determined that it was also used to access an organization in Syria that was previously\r\nredirected using the actor-controlled name server ns1[.]intersecdns[.]com. This indicates that the same threat\r\nactors were behind both operations.\r\nWe also saw evidence that the threat actors researched the open-source tool PHP-Proxy. Notably, this particular\r\nC2 node searched for both blog.talosintelligence.com and ncsc.gov.uk, presumably to view Talos' previous reports\r\non DNS hijacking and this DNS hijacking advisory from the United Kingdom's National Cyber Security Centre.\r\nNew actor-controlled nameserver\r\nWe recently discovered a new actor-controlled nameserver, rootdnservers[.]com, that exhibited similar behavior\r\npatterns as name servers previously utilized as part of the Sea Turtle campaign. The domain rootdnservers[.]com\r\nhttps://blog.talosintelligence.com/sea-turtle-keeps-on-swimming\r\nPage 2 of 6\n\nwas registered on April 5, 2019 through the registrar NameCheap. The new actor-controlled name server\r\nrootdnservers[.]com was utilized to perform DNS hijacking against three government entities that all used .gr, the\r\nGreek ccTLD. It's likely that these hijackings were performed through the access the threat actors obtained in the\r\nICS-Forth network. Below is a table showing the three most recent actor-controlled name servers that we have\r\nassociated with this activity and their current operational status.\r\nHostnames IP addresses Operational Status\r\nns1[.]rootdnservers[.]com. 45[.]32[.]100[.]62 Active\r\nns2[.]rootdnservers[.]com. 45[.]32[.]100[.]62 Active\r\nns1[.]intersecdns[.]com 95[.]179[.]150[.]101 Inactive\r\nns2[.]intersecdns[.]com 95[.]179[.]150[.]101 Inactive\r\nNew IP addresses associated with man-in-the-middle activity\r\nBy identifying the targeted domains, we were able to identify the hijacked hostnames and the corresponding actor-controlled MitM nodes. The threat actors, again employing previously documented tradecraft, by performing a\r\n\"certificate impersonation\" technique. This is where the threat actors procure an SSL certificate for the targeted\r\nhostname from a different SSL provider. Below is a table showing the dates and associated IP addresses.\r\nDate IP address\r\nApril 13, 2019 95[.]179[.]131[.]225\r\nApril 16, 2019 95[.]179[.]131[.]225\r\nApril 11, 2019 95[.]179[.]131[.]225\r\nApril 11, 2019 140[.]82[.]58[.]253\r\nhttps://blog.talosintelligence.com/sea-turtle-keeps-on-swimming\r\nPage 3 of 6\n\nApril 10, 2019 95[.]179[.]156[.]61\r\nUpdated victimology\r\nSince our initial report, Sea Turtle has continued to compromise a number of different entities to fulfill their\r\nrequirements. We have identified some of the new primary targets as:\r\nGovernment organizations\r\nEnergy companies\r\nThink tanks\r\nInternational non-governmental organizations\r\nAt least one airport\r\nIn terms of secondary targets, we have seen very similar targets as those previously reported, such as\r\ntelecommunications providers, internet service providers and one registry.\r\nCoverage and mitigations\r\nIn order to best protect against this type of attack, we compiled a list of potential actions. We have included\r\nadditional security recommendations, that were highlighted by Bill Woodcock during his presentations on\r\nDNS/IMAP attacks.\r\nWe recommend implementing multi-factor authentication, such as DUO, to secure the management of your\r\norganization's DNS records at your registrar, and to connect remotely to your corporate network via a\r\nVirtual Private Network (VPN).\r\nTalos suggests a registry lock service on your domain names, which will require the registrar to provide an\r\nout-of-band confirmation before the registry will process any changes to an organization's DNS record.\r\nhttps://blog.talosintelligence.com/sea-turtle-keeps-on-swimming\r\nPage 4 of 6\n\nDNSSEC sign your domains, either in-house, or using a DNS service provider which performs DNSSEC\r\nkey-management services.\r\nDNSSEC validate all DNS lookups in your recursive resolver, either using in-house nameservers, or a\r\nservice like Cisco Umbrella / OpenDNS.\r\nMake Internet Message Access Protocol (IMAP) email servers accessible only from your corporate LAN\r\nand to users who have already authenticated over a VPN.\r\nIf you suspect you were targeted by this type of activity, we recommend instituting a network-wide\r\npassword reset, preferably from a computer on a trusted network.\r\nLastly, network administrators can monitor passive DNS record on their domains, to check for\r\nabnormalities.\r\nIndicators of compromise\r\nIP address Characterization Date Range\r\n185[.]64[.]105[.]100 Operational Node March - April 2019\r\n178[.]17[.]167[.]51 Operational Node June 2019\r\n95[.]179[.]131[.]225 Mitm Node April 2019\r\n140[.]82[.]58[.]253 Mitm Node April 2019\r\n95[.]179[.]156[.]61 Mitm Node April 2019\r\n196[.]29[.]187[.]100 Mitm Node December 2018\r\n188[.]226[.]192[.]35 Mitm Node January 2018\r\nns1[.]rootdnservers[.]com Actor-controlled nameserver April 2019\r\nns2[.]rootdnservers[.]com Actor-controlled nameserver April 2019\r\nhttps://blog.talosintelligence.com/sea-turtle-keeps-on-swimming\r\nPage 5 of 6\n\n45[.]32[.]100[.]62 Hosted malicious nameserver April 2019\r\nns1[.]intersecdns[.]com Actor-controlled nameserver February - April 2019\r\nns2[.]intersecdns[.]com Actor-controlled nameserver February - April 2019\r\n95[.]179[.]150[.]101 Hosted malicious nameserver February - July 2019\r\nSource: https://blog.talosintelligence.com/sea-turtle-keeps-on-swimming\r\nhttps://blog.talosintelligence.com/sea-turtle-keeps-on-swimming\r\nPage 6 of 6", "extraction_quality": 1, "language": "EN", "sources": [ "MISPGALAXY", "Malpedia" ], "references": [ "https://blog.talosintelligence.com/sea-turtle-keeps-on-swimming" ], "report_names": [ "sea-turtle-keeps-on-swimming" ], "threat_actors": [ { "id": "cfdd35af-bd12-4c03-8737-08fca638346d", "created_at": "2022-10-25T16:07:24.165595Z", "updated_at": "2026-04-10T02:00:04.887031Z", "deleted_at": null, "main_name": "Sea Turtle", "aliases": [ "Cosmic Wolf", "Marbled Dust", "Silicon", "Teal Kurma", "UNC1326" ], "source_name": "ETDA:Sea Turtle", "tools": [ "Drupalgeddon" ], "source_id": "ETDA", "reports": null }, { "id": "33ae2a40-02cd-4dba-8461-d0a50e75578b", "created_at": "2023-01-06T13:46:38.947314Z", "updated_at": "2026-04-10T02:00:03.155091Z", "deleted_at": null, "main_name": "Sea Turtle", "aliases": [ "UNC1326", "COSMIC WOLF", "Marbled Dust", "SILICON", "Teal Kurma" ], "source_name": "MISPGALAXY:Sea Turtle", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "62b1b01f-168d-42db-afa1-29d794abc25f", "created_at": "2025-04-23T02:00:55.22426Z", "updated_at": "2026-04-10T02:00:05.358041Z", "deleted_at": null, "main_name": "Sea Turtle", "aliases": [ "Sea Turtle", "Teal Kurma", "Marbled Dust", "Cosmic Wolf", "SILICON" ], "source_name": "MITRE:Sea Turtle", "tools": [ "SnappyTCP" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775434413, "ts_updated_at": 1775791946, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/3e64e115d08c0deb6f54d35e63e936e7995b7687.pdf", "text": "https://archive.orkl.eu/3e64e115d08c0deb6f54d35e63e936e7995b7687.txt", "img": "https://archive.orkl.eu/3e64e115d08c0deb6f54d35e63e936e7995b7687.jpg" } }