Sea Turtle

In April 2019, Cisco Talos published an unusual disclosure. A long-running campaign, attributed to Iranian intelligence services, had been quietly hijacking the DNS records of government agencies, telecommunications providers, and internet infrastructure companies across the Middle East, North Africa, and Europe. The campaign, which Talos named Sea Turtle, did not breach its targets directly. It manipulated the layer that resolved those targets' names.

A man in the middle of the resolver

The operators went after registrars and ccTLD operators — the institutional plumbing that decides which IP address a given domain name points to. Once they could modify a target's DNS records, they could redirect email traffic, web traffic, and even validation requests for TLS certificates through attacker-controlled servers. Browsers and mail clients had no way to notice; the certificates the attackers obtained were freshly minted by legitimate CAs, against domain-control validation requests the attackers themselves answered.

The cleanup required not only fixing the affected DNS records but revoking any certificate issued during the hijack window, rotating any credential transmitted over the diverted traffic, and notifying users whose authentication tokens may have been captured. The damage was hard to bound.

A standing infrastructure problem

Sea Turtle's choice of target made the case a reference point in internet-infrastructure security discussions. DNSSEC adoption among ccTLDs accelerated. Registries tightened account access controls and added out-of-band verification for record changes. CISA and its European counterparts issued emergency guidance.

What the chronicle remembers

Sea Turtle was the canonical demonstration that DNS itself is a target worth attacking and that a few well-placed registrar compromises can quietly substitute for a much harder direct intrusion. The lesson reshaped how core internet operators thought about who exactly was on the other end of their administrative login pages.