High profile sites across the world were targeted over the weekend in a DNS Hack that redirected domains to Turkish holding pages. The hacking group, known as TurkGuvenligi, or TG for short, tracked down domain registrars and compromised the Nameservers of various domains and began to wreak havoc with various records.

Organisations targeted included the Telegraph, UPS, Microsoft and Acer. At first it wasn’t clear how the sites had been hacked, and anyone navigating to the affected domains saw a holding page belonging to the Turkish Hacking Group. This lead many to believe the sites had been hacked directly.

However it later transpired that the hackers had used the Domain Name System (DNS) in order to redirect traffic to a totally different server, and the sites themselves remained unaffected on the usual hosting platform. The issue was however, the domains were no longer linked to the content. Any emails sent to the affected domains would also have gone straight to the hackers, as it is also believed they changed the Mail Exchange records as part of the attack.

The main function of DNS is to translate a text address e.g. www.telegraph.co.uk into a numerical address that can be interpreted by computers across the web. Amongst other things, it also provides a list of mailservers which accept mail for each domain name. Each domain uses a set of Nameservers, where the various DNS records are stored, and this is where other Nameservers will be directed to when looking for information about the domain.

This essentially meant that the domain owners had no control over the content that was being shown on their domains, as they had no way of taking down the pages that were showing on the destination server. Once the origin of the attack was discovered, the affected domain owners were forced to wait anxiously until their domain name registrar could help them reverse the changes made by the hackers.

In an interview with the group responsible, they simply said the attack had been carried out for fun, and in order to highlight small weaknesses in large systems.

They also went on to explain a little more about their tactics to take down sites. If the site itself cannot be targeted using a vulnerability found in a script, they then move on to assess the hosting server. If this still does not yield any results, they then try the domain name registrar to access the DNS instead.

The group was also responsible for a very similar attack on Korean Websites last month. It was thought around 100,000 domains were affected, including HSBC Korea, and Epson.

All sites affected are now back up and running, and seem to have fully recovered from the breach. Let’s hope the companies affected have learned from the hack and are taking a close look at their systems!

Tweet