Hackers who attacked the Dutch firm DigiNotar used advanced tools for their intrusion and have been active for a long time, according to the preliminary investigation by the Dutch IT firm Fox-IT.
We found that the hackers were active for a longer period of time. They used known hacker tools as well as software and scripts developed specifically for this task. Some of the software gives an amateurish impression, while some scripts, on the other hand, are very advanced, the report said.
In at least one script, the hacker left fingerprints on purpose, which were also found in the Comodo breach investigation of March 2011. Parts of the log files that would reveal more about the creation of the signatures were deleted.
On July 19, DigiNotar detected an intrusion into its Certificate Authority infrastructure that resulted in the fraudulent issuance of public key certificate requests for a number of domains, including Google.com.
Around 300,000 unique requesting IPs to google.com have been identified. Of these, 99 percent originated from Iran.
Using a stolen certificate the hacker, or hackers, monitored people who visited Google, could steal their passwords and could obtain access to other services such as Facebook and Twitter, said Fox-IT.
The report also showed the following plain text left in script to generate signatures on rogue certificates:
While it was initially thought only a fraudulent *.google.com certificate had been issued, DigiNotar belatedly admitted that dozens of fraudulent certificates have been created, including certificates for the domains of Yahoo!, Mozilla, WordPress and The Tor Project. DigiNotar could not guarantee that all of them had been revoked.
Following is the timeline of DigiNotar attack:
Possibly first exploration by the attacker(s)
Servers in the DMZ in control of the attacker(s)
Incident detected by DigiNotar by daily audit procedure
First attempt creating a rogue certificate
The first succeeded rogue certificate (*.Google.com)
Last known succeeded rogue certificate was created
Last outbound traffic to attacker(s) IP (not confirmed)
Start investigation by IT-security firm (not confirmed)
Delivery of security report of IT-security firm
First rogue *.google.com OSCP request
First seen that rogue certificates were verified from Iran
Start massive activity of *.google.com on OCSP responder
First mention of *.google.com certificate in blog
GOVCERT.NL is notified by CERT-BUND
The *.google.com certificate is revoked
Start investigation by Fox-IT
Incident response sensor active
OSCP based on white list