Incident: DNS Hijacking Attack on High-Profile Websites by Turkish Hacker Group

Published Date: 2011-09-04

Postmortem Analysis
Timeline 1. The software failure incident of the DNS hack by a Turkish hacker group targeting high-profile websites occurred on a Sunday night [7822]. 2. Published on 2011-09-04. 3. The incident likely occurred in September 2011.
System The system that failed in the software failure incident described in Article 7822 was the Domain Name System (DNS).
Responsible Organization 1. The Turkish hacker group was responsible for causing the software failure incident [7822].
Impacted Organization 1. Betfair [7822] 2. Telegraph [7822] 3. UPS [7822] 4. Vodafone [7822] 5. National Geographic [7822] 6. Acer [7822] 7. The Register [7822] 8. Microsoft in Brazil [7822] 9. Dell in South Korea [7822]
Software Causes 1. The software cause of the failure incident was a DNS hack where the Turkish hacker group targeted the domain name system (DNS) to redirect traffic to high-profile websites, affecting sites like the Telegraph, UPS, Betfair, Vodafone, National Geographic, Acer, and others [7822].
Non-software Causes 1. The hackers targeted the domain name system (DNS) by attacking the database for the DNS at the "domain name registrar" company which registered the affected sites [7822]. 2. The hackers redirected traffic by manipulating the DNS records at the registrar level, causing users to be directed to unintended web pages [7822]. 3. The hackers exploited vulnerabilities in the domain registration process, specifically targeting companies like Ascio.com and Netnames.co.uk that register domain names [7822].
Impacts 1. The software failure incident led to the diversion of traffic to high-profile websites, putting unwary users at risk of having passwords, emails, and other details stolen [7822]. 2. Users visiting the affected sites may have thought they were directly hacked, causing confusion and potential distrust in the security of the websites [7822]. 3. Email sent to the affected sites during the hack was diverted to the hackers' site, potentially compromising communication and data security [7822]. 4. The DNS hack allowed the hackers to direct users to any web page they wanted, indicating a significant breach of website integrity and control [7822]. 5. The incident caused disruption in accessing the affected websites, as users had to resort to typing in the original dotted quad address directly into a browser to reach the sites [7822].
Preventions 1. Implementing strong security measures to protect domain name registrar databases from unauthorized access could have prevented the software failure incident [7822]. 2. Regularly monitoring and auditing DNS records to detect any unauthorized changes promptly could have helped prevent the incident [7822]. 3. Utilizing multi-factor authentication for accessing and making changes to DNS records could have added an extra layer of security to prevent unauthorized modifications [7822].
Fixes 1. Restoring the original DNS records for the affected sites by getting the registrar to change them back to their own nameservers could fix the software failure incident [7822].
References 1. Industry experts 2. Alex Norcliffe, software engineer with Umbraco 3. DNS servers 4. "zone-h" website 5. Blue Mile Networks 6. Ascio.com 7. Netnames.co.uk 8. Twitter feed of the hacking group

Software Taxonomy of Faults

Category Option Rationale
Recurring multiple_organization (a) The software failure incident related to the Turkish hacker group diverting traffic through a DNS hack has happened again at Betfair, Vodafone, and other high-profile websites [7822]. The incident involved the group attacking the domain name system (DNS) to redirect users to unauthorized pages, affecting multiple organizations simultaneously. (b) The incident involving the DNS hack by the Turkish hacker group has also occurred at Microsoft in Brazil, Dell in South Korea, and other websites [7822]. This indicates that similar attacks have targeted multiple organizations, demonstrating a pattern of exploiting DNS vulnerabilities across different entities.
Phase (Design/Operation) design (a) The software failure incident described in the articles is related to the design phase. The incident was caused by a hack on the domain name system (DNS) by a Turkish hacker group, which resulted in the redirection of traffic to high-profile websites. The hackers attacked the DNS records at the "domain name registrar" company, which registered the affected sites, leading to users being directed to unauthorized web pages controlled by the hackers. This design flaw in the DNS system allowed the hackers to manipulate the routing of users to websites, demonstrating a vulnerability in the system design [7822]. (b) The software failure incident is not directly related to the operation phase or misuse of the system.
Boundary (Internal/External) within_system, outside_system (a) The software failure incident described in the article is primarily within_system. The Turkish hacker group targeted the domain name system (DNS) by hacking into the database for the DNS at the "domain name registrar" company which registered the affected sites. This internal manipulation of the DNS records allowed the hackers to redirect users to any web page they desired, demonstrating a failure originating from within the system itself [7822]. (b) Additionally, the incident involved outside_system factors as the hackers exploited vulnerabilities in the DNS infrastructure, which relies on servers around the world to record and pass on updated details about site addresses. By manipulating these external dependencies, the hackers were able to disrupt the normal functioning of the websites without directly compromising the sites themselves [7822].
Nature (Human/Non-human) non-human_actions (a) The software failure incident in this case occurred due to non-human actions. The Turkish hacker group diverted traffic to high-profile websites by attacking the domain name system (DNS), which is used to route users to websites. They hacked into the database for the DNS at the "domain name registrar" company which registered the sites, changing the details recorded for the affected sites. This led to users being redirected to pages owned by a customer of a US company, Blue Mile Networks, showcasing that the failure was caused by factors introduced without human participation [7822]. (b) The software failure incident was not due to contributing factors introduced by human actions but rather by the actions of the Turkish hacker group who exploited vulnerabilities in the DNS system to redirect traffic to unauthorized pages. There is no indication in the article that the failure was a result of mistakes or actions by legitimate users or administrators [7822].
Dimension (Hardware/Software) software (a) The software failure incident reported in the articles was not directly attributed to hardware issues. The incident was primarily caused by a hack carried out by a Turkish hacker group that targeted the domain name system (DNS) of various high-profile websites [7822]. (b) The software failure incident was a result of contributing factors originating in software, specifically the DNS servers and the domain name registrar's database being hacked into by the group. This led to the redirection of traffic to unauthorized web pages and the potential theft of user data [7822].
Objective (Malicious/Non-malicious) malicious (a) The software failure incident described in the article is malicious in nature. A Turkish hacker group carried out a DNS hack that diverted traffic to high-profile websites, putting users at risk of having their passwords, emails, and other details stolen. The hackers targeted domain name system (DNS) servers to redirect users to any web page they wanted, demonstrating malicious intent to harm the affected websites and users [7822].
Intent (Poor/Accidental Decisions) unknown (a) The intent of the software failure incident was not due to poor decisions but rather intentional malicious actions by a Turkish hacker group. The group diverted traffic to high-profile websites by attacking the domain name system (DNS), which resulted in users being redirected to unauthorized pages. The hackers claimed they did it for "entertainment" and mentioned they targeted large systems with small weaknesses just for fun [7822]. (b) The software failure incident was not accidental but a deliberate act by the hackers who planned and executed the hack on the DNS servers of various websites. Their actions were intentional and aimed at redirecting users to specific pages for their own amusement and to showcase their capabilities [7822].
Capability (Incompetence/Accidental) accidental (a) The software failure incident reported in the article was not due to development incompetence. It was caused by a Turkish hacker group who diverted traffic to high-profile websites by attacking the domain name system (DNS) [7822]. (b) The software failure incident was accidental in the sense that the websites themselves remained unaffected, but the hackers attacked the DNS, causing users to be redirected to unauthorized pages. The hackers claimed they did it for "entertainment" and mentioned it was just for fun, indicating an accidental motive rather than a planned attack due to development incompetence [7822].
Duration temporary (a) The software failure incident described in the article was temporary. The incident involved a DNS hack carried out by a Turkish hacker group, which resulted in the redirection of traffic to high-profile websites. The hackers were able to manipulate the DNS records for the affected sites by hacking into the database of the domain name registrar company. This led to users being redirected to a different web page controlled by the hackers. The incident was not permanent as it was based on the manipulation of DNS records, which could be rectified by restoring the correct information in the registrar database. It was mentioned that it could take up to two days to replace the faked records, indicating that the issue was reversible [7822].
Behaviour byzantine, other (a) crash: The software failure incident described in the articles does not align with a crash as the system did not lose its state and stop performing its intended functions. The incident involved a DNS hack that redirected traffic to high-profile websites but did not cause the websites to crash or stop functioning [7822]. (b) omission: The incident does not involve the system omitting to perform its intended functions at an instance(s). Instead, the hackers manipulated the DNS system to redirect traffic to specific web pages, indicating a deliberate action rather than an omission of function [7822]. (c) timing: The timing of the incident does not relate to the system performing its intended functions too late or too early. The hack was executed on a Sunday evening, and the redirection of traffic occurred immediately once the DNS records were altered by the hackers [7822]. (d) value: The software failure incident does not involve the system performing its intended functions incorrectly in terms of providing incorrect outputs or results. The incident was a deliberate hack that redirected users to specific web pages chosen by the hackers [7822]. (e) byzantine: The behavior of the software failure incident aligns more closely with a byzantine failure. The hackers manipulated the DNS system to redirect traffic to specific web pages, demonstrating inconsistent responses and interactions with the users who were unknowingly redirected to different sites [7822]. (f) other: The behavior of the software failure incident could also be described as a cyber attack or a DNS hijacking incident. The hackers exploited vulnerabilities in the DNS system to redirect traffic to unauthorized web pages, demonstrating a malicious and unauthorized behavior not covered by the options (a) to (e) [7822].

IoT System Layer

Layer Option Rationale
Perception None None
Communication None None
Application None None

Other Details

Category Option Rationale
Consequence property (d) property: People's material goods, money, or data was impacted due to the software failure The software failure incident described in the article resulted in the diversion of traffic to high-profile websites by a Turkish hacker group. This action put unwary users at risk of having passwords, emails, and other details stolen [7822]. The hackers were able to manipulate the domain name system (DNS) to redirect users to different web pages, potentially leading to the theft of sensitive information from individuals accessing the affected sites. This indicates a direct impact on people's property in the form of compromised data and potential financial loss.
Domain information (a) The failed system was intended to support the information industry. The incident involved a Turkish hacker group diverting traffic to high-profile websites like the Telegraph, UPS, Betfair, Vodafone, National Geographic, and more, putting users at risk of having passwords and emails stolen [7822]. The hackers targeted domain name systems (DNS) to redirect users to specific web pages, demonstrating a breach in the information industry's cybersecurity infrastructure.

Sources

Back to List