ICANN hacked

News by Tony Morbin

ICANN, the US-administered non-profit organisation that handles internet protocol addresses (IP) and domains, and root server management  confirms that it has been hacked, and that the email credentials of several  staff were compromised following what was believed to be a spear-phishing attack initiated in late November 2014 and discovered a week later, in  early December 2014.

If the attackers had gained full access to the system used to make changes at the very top of the internet, and been able to alter the root zone files, they could have severely damaged the functionality of the internet. When changing network addresses for the world's top-level nameservers, a secure email is sent from ICANN, or a request sent through a secure web portal, a standard format change request and self-certification that ICANN has followed its own processes. (see more in January SCMagazineUK print edition)

In the event, the compromised credentials were indeed used to access other areas, including the Centralised Zone Data System (czds.icann.org), with administrative access gained for all files in the CZDS. This included copies of the zone files in the system, as well as users' names, postal addresses, email addresses, fax and telephone numbers, usernames, and passwords. Although the passwords were stored as salted cryptographic hashes, ICANN has deactivated all CZDS passwords as a precaution.   The attackers couldn't alter the root zone files but they do now know who is registered with the system, which includes many of the administrators of the world's registries and registrars.

ICANN has notified CZDS users whose personal information may have been compromised and advised them to take' appropriate steps' to protect any other online accounts using the same username and/or password.  So there has been a week-long window during which such credentials could potentially have been used, if the hashed passwords were cracked.

However it appears that the only other unauthorised access obtained was to the ICANN GAC Wiki plus user accounts on the ICANN Blog (blog.icann.org) and the ICANN WHOIS (whois.icann.org) information portal. No impact was found to have occurred on either of these systems and ICANN says that the attack does not impact any IANA-related systems.

The Register noted that this is extremely embarrassing for ICANN as it comes ahead of plans for it to take control of the critical IANA contract next year. IANA is the ICANN-run body that manages the heart of the internet's DNS. The breach may potentially be used either to support those in the US saying the country needs to retain greater control over the organisation, or those outside saying the organisation cannot rely on US control.

Security measures taken this year are claimed to have limited the unauthorised access obtained in the attack, and subsequently additional security measures are reported to have been implemented.

Commentors on various forums have voiced a range of concerns, especially that the people running the root zone to the internet should fall for phishing scams and click on unsolicited links, but also that it seems two-factor authentication was not used.

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews