ICANN systems compromised via Spear Phishing attack by unknown hackers

The ICANN organization confirmed that several its systems were compromised via Spear Phishing attack. The company is investigating the case.

ICANN revealed the details of a recent spear phishing attack that allowed unknowns to access its network. The attackers spoofed the ICANN domain, and deceived internal staff into revealing their email credentials.

The ICANN is the organization that manages the global top-level domain system and its systems are vital for the overall Internet.

“The attacker obtained administrative access to all files in the CZDS. This included copies of the zone files in the system, as well as information entered by users such as name, postal address, email address, fax and telephone numbers, username, and password. Although the passwords were stored as salted cryptographic hashes, we have deactivated all CZDS passwords as a precaution.” states the announcement published by the ICANN.

Experts at ICANN explained that that intrusion occurred in late November 2014 and among the actions made by the attackers there were the access to the Centralized Zone Data System (CZDS czds.icann.org).

The hackers had access to the system that manages the files with data on resolving specific domain names (zone files), as well as personal information provided by the user (i.e. name, postal address, email address, fax and telephone numbers, credentials).  Although the passwords were stored as salted cryptographic hashes, ICANN deactivated all CZDS passwords in response to the incident.

“The attacker obtained administrative access to all files in the CZDS. This included copies of the zone files in the system, as well as information entered by users such as name, postal address, email address, fax and telephone numbers, username, and password. Although the passwords were stored as salted cryptographic hashes, we have deactivated all CZDS passwords as a precaution. Users may request a new password at czds.icann.org. We suggest that CZDS users take appropriate steps to protect any other online accounts for which they might have used the same username and/or password. ICANN is providing notices to the CZDS users whose personal information may have been compromised.”

The attackers also used the credentials to access other ICANN systems besides email including the ICANN GAC Wiki (gacweb.icann.org). Public information, the members-only index page and one individual user’s profile page was viewed. No other non-public content was viewed.

“Public information, the members-only index page and one individual user’s profile page was viewed. No other non-public content was viewed.” reports the statement from the ICANN.

The hackers also accessed user accounts on two other systems, the ICANN Blog (blog.icann.org) and the ICANN WHOIS (whois.icann.org) information portal, but in this case the investigators haven’t found any evidence of malicious operation.

In time I’m writing, ICANN is not aware other internal systems that have been compromised and the organization confirmed that the attack does not impact any IANA-related systems.

The ICANN also explained that a recent improvement to internal security helped contain the unauthorized access to its systems.

“Earlier this year, ICANN began a program of security enhancements in order to strengthen information security for all ICANN systems. We believe these enhancements helped limit the unauthorized access obtained in the attack. Since discovering the attack, we have implemented additional security measures.”

The ICANN highlighted that it is providing information about this incident publicly.

Pierluigi Paganini

(Security Affairs –  ICANN, spear-phishing attack)