On Sea Turtle Campaign Targeting Greek Governmental Organisations (Feb 25, 2020)
Greek news media has reported that the Greek Prime Minister’s office, the Ministry of Foreign Affairs, the National Intelligence Service, and the Greek Police were targeted by the threat group, Sea Turtle, back in April 2019. Sea Turtle, suspected to be based in Turkey, gained access to the victims' domain registrars to change to name servers used. Once the name server record was changed to a threat actor controlled server, Sea Turtle could obtain domain validation (DV) certificates for Man-in-The-Middle (MITM) attacks using the hijacked domain.
Recommendation: Management of critical infrastructure should require multi-factor authentication to be accessed. Some registrars offer a registry lock service that requires an out-of-band confirmation before any changes can be performed to the DNS record. It is also recommended to monitor your DNS records for suspicious changes.
Indicators of Compromise (IOCs) associated with this story can be viewed by ThreatStream users here to identify potential malicious activity.