Hackers who attacked the Dutch firm DigiNotar used advanced tools for their intrusion and have been active for a long time, according to the preliminary investigation by the Dutch IT firm Fox-IT.

We found that the hackers were active for a longer period of time. They used known hacker tools as well as software and scripts developed specifically for this task. Some of the software gives an amateurish impression, while some scripts, on the other hand, are very advanced, the report said.

In at least one script, the hacker left fingerprints on purpose, which were also found in the Comodo breach investigation of March 2011. Parts of the log files that would reveal more about the creation of the signatures were deleted.

On July 19, DigiNotar detected an intrusion into its Certificate Authority infrastructure that resulted in the fraudulent issuance of public key certificate requests for a number of domains, including Google.com.

Around 300,000 unique requesting IPs to google.com have been identified. Of these, 99 percent originated from Iran.

Using a stolen certificate the hacker, or hackers, monitored people who visited Google, could steal their passwords and could obtain access to other services such as Facebook and Twitter, said Fox-IT.

The report also showed the following plain text left in script to generate signatures on rogue certificates:

width=630

While it was initially thought only a fraudulent *.google.com certificate had been issued, DigiNotar belatedly admitted that dozens of fraudulent certificates have been created, including certificates for the domains of Yahoo!, Mozilla, WordPress and The Tor Project. DigiNotar could not guarantee that all of them had been revoked.

Following is the timeline of DigiNotar attack:

Timeline

 

06-Jun-2011

Possibly first exploration by the attacker(s)

17-Jun-2011

Servers in the DMZ in control of the attacker(s)

19-Jun-2011

Incident detected by DigiNotar by daily audit procedure

02-Jul-2011

First attempt creating a rogue certificate

10-Jul-2011

The first succeeded rogue certificate (*.Google.com)

20-Jul-2011

Last known succeeded rogue certificate was created

22-Jul-2011

Last outbound traffic to attacker(s) IP (not confirmed)

22-Jul-2011

Start investigation by IT-security firm (not confirmed)

27-Jul-2011

Delivery of security report of IT-security firm

27-Jul-2011

First rogue *.google.com OSCP request

28-Jul-2011

First seen that rogue certificates were verified from Iran

04-Aug-2011

Start massive activity of *.google.com on OCSP responder

27-Aug-2011

First mention of *.google.com certificate in blog

29-Aug-2011

GOVCERT.NL is notified by CERT-BUND

29-Aug-2011

The *.google.com certificate is revoked

30-Aug-2011

Start investigation by Fox-IT

30-Aug-2011

Incident response sensor active

01-Sep-2011

OSCP based on white list