DigiNotar Hackers Used 'Advanced Tools' for Intrusion, Report Says

Hackers who attacked the Dutch firm DigiNotar used advanced tools for their intrusion and have been active for a long time, according to the preliminary investigation by the Dutch IT firm Fox-IT.

We found that the hackers were active for a longer period of time. They used known hacker tools as well as software and scripts developed specifically for this task. Some of the software gives an amateurish impression, while some scripts, on the other hand, are very advanced, the report said.

In at least one script, the hacker left fingerprints on purpose, which were also found in the Comodo breach investigation of March 2011. Parts of the log files that would reveal more about the creation of the signatures were deleted.

On July 19, DigiNotar detected an intrusion into its Certificate Authority infrastructure that resulted in the fraudulent issuance of public key certificate requests for a number of domains, including Google.com.

Around 300,000 unique requesting IPs to google.com have been identified. Of these, 99 percent originated from Iran.

Using a stolen certificate the hacker, or hackers, monitored people who visited Google, could steal their passwords and could obtain access to other services such as Facebook and Twitter, said Fox-IT.

The report also showed the following plain text left in script to generate signatures on rogue certificates:

While it was initially thought only a fraudulent *.google.com certificate had been issued, DigiNotar belatedly admitted that dozens of fraudulent certificates have been created, including certificates for the domains of Yahoo!, Mozilla, WordPress and The Tor Project. DigiNotar could not guarantee that all of them had been revoked.

Following is the timeline of DigiNotar attack: