Full Report
The nonprofit organization that looks after name and internet domains has been hit by a spear phishing hack that has compromised company data, reports The Register.
Analysis Summary
# Incident Report: ICANN Spear Phishing Compromise
## Executive Summary
ICANN (Internet Corporation for Assigned Names and Numbers) suffered a security breach originating from a spear-phishing attack that compromised the email credentials of several staff members last month (prior to December 2014). This compromise enabled attackers to access sensitive internal systems, including the Centralized Zone Data System (CZDS), leading to the potential exposure of user registration data, including hashed passwords. ICANN responded by immediately deactivating affected passwords and implementing enhanced security measures.
## Incident Details
- Discovery Date: Prior to the statement released "this week" (mid-December 2014)
- Incident Date: Attacks appeared to begin "last month" (November 2014)
- Affected Organization: ICANN (Internet Corporation for Assigned Names and Numbers)
- Sector: Internet Infrastructure/Non-Profit Management
- Geography: Not explicitly stated (Global scope due to nature of ICANN)
## Timeline of Events
### Initial Access
- Date/Time: Prior to December 2014 (attack began "last month")
- Vector: Spear Phishing
- Details: Attackers targeted ICANN employees using emails that appeared to originate from ICANN servers to increase perceived legitimacy. This led to the compromise of several staff members' email credentials.
### Lateral Movement
- Details: Compromised credentials were used to access internal systems. Attackers gained access to the Centralized Zone Data System (CZDS), the Whois portal, the organization's blog, and the Governmental Advisory Committee's (GAC) wiki.
### Data Exfiltration/Impact
- Impact: Access to the GAC wiki exposed private employee details. Access to the CZDS allowed hackers to view information on users registered within the system, including names, postal addresses, email addresses, usernames, and passwords (stored as salted cryptographic hashes). Although file alteration was not possible, data viewing/theft occurred.
### Detection & Response
- Detection: ICANN revealed the breach publicly in a statement on its website during the week of December 14, 2014.
- Response Actions: Deactivation of all CZDS passwords as a precaution, and providing notices to all CZDS users whose personal information might be at risk.
## Attack Methodology
- Initial Access: Spear Phishing (Targeting employees with seemingly legitimate internal emails).
- Persistence: Compromised email credentials maintained access for lateral movement.
- Privilege Escalation: Not explicitly detailed, but moving from email access to system access suggests privilege escalation or leveraging existing account permissions.
- Defense Evasion: Using domain-spoofed or trusted internal-looking emails to bypass initial user scrutiny.
- Credential Access: Credential harvesting via spear-phishing links/attachments targeting email access.
- Discovery: Attackers utilized access to internal systems (CZDS, GAC wiki) for reconnaissance and data identification.
- Lateral Movement: Moving from compromised staff emails to critical systems like the CZDS.
- Collection: Viewing/gathering user registration data (names, addresses, credentials) from the CZDS and private employee details from the GAC wiki.
- Exfiltration: Data viewing/potential exfiltration occurred concerning CZDS user information.
- Impact: Theft of user registration records and internal private data.
## Impact Assessment
- Financial: Not specified.
- Data Breach: Personal identifiable information (PII) of CZDS users, including names, postal addresses, email addresses, usernames, and passwords (hashed/salted). Private employee details from the GAC wiki.
- Operational: Access granted to critical infrastructure components (CZDS, Whois portal).
- Reputational: Public disclosure required due to the nature of ICANN's role in internet governance.
## Indicators of Compromise
- Network Indicators: (None provided in article, implied successful connection from attacker IP/domain to internal resources).
- File Indicators: (None provided in article).
- Behavioral Indicators: Unusual successful logins to CZDS/GAC Wiki via compromised staff user accounts following spear-phishing response.
## Response Actions
- Containment Measures: Deactivated all CZDS passwords immediately upon discovery.
- Eradication Steps: Not detailed, but likely involved resetting credentials for affected staff and securing the entry vector.
- Recovery Actions: Implementing additional security measures post-attack.
## Lessons Learned
- Spear phishing remains a highly effective initial attack vector, even against organizations managing critical infrastructure.
- Employee training and verification protocols for suspicious internal-looking communications are crucial.
- Although passwords were cryptographically hashed, the exposure required immediate credential invalidation.
## Recommendations
- Enhance technical controls (e.g., DMARC/SPF validation) to prevent internal-looking email spoofing that facilitates spear phishing.
- Implement Multi-Factor Authentication (MFA) across all critical systems, especially for employees whose credentials grant access to sensitive data repositories like the CZDS.
- Conduct mandatory, updated security awareness training focusing specifically on identifying spear-phishing attempts.