Last Wednesday, Comodo, an Internet security provider, announced that one of its affiliates in Italy had been compromised and induced to provide access to communication sites such as Gmail, Skype and Yahoo Mail.
To protect Internet users, one widely used online security system is the Secure Sockets Layer (SSL). SSL certificates provide users a guarantee that the site to which they are connecting is actually what it claims to be. Comodo’s hacked affiliate was a Registration Authority, and thus authorized to issue security certificates to individuals or entities after conducting a diligent investigation into their legitimacy.
The hacker, from an Internet provider (IP) address in Iran, broke into the affiliate’s account and was able to issue itself nine bogus certificates. With those, the thief could pretend to be, for example, Gmail. Gmail senders would have no idea that they were sending all their mail directly to the thief.
Comodo CEO and founder Melih Abdulhayoglu likened the breach to the September 11 terrorist attacks. “Our own planes are being used against us in the [certificate authority] world,” he said.
He also said that the evidence, albeit circumstantial, pointed to the government of Iran as the hacker.
A minor element was the hacker’s IP address in Iran. Analysts point out that hackers often work through a foreign IP address to cover their tracks, so the Iranian IP address proves nothing. In this case, however, the hacker was not doing damage to a website, which would prompt an investigation into the origin. The hacker in this case was assuming no one would ever know what he was doing and so would have no reason to track the IP address.
The certificates covered the email login pages of the mail services of Google (gmail.com), Yahoo (yahoo.com) and Microsoft (hotmail.com), the Internet phone service Skype, and add-ons for the Internet browser Mozilla Firefox.
Comodo said its affiliate realized what was happening while the theft was underway and “within hours” revoked all the certificates, so the thief actually got away with nothing. Only one certificate, for Yahoo, was found to have been tried online via a second IP address in Iran.
“What can you do with such a certificate?” explains Mikko Hypponen, chief research officer of F-Secure. “Well, if you are a government and able to control Internet routing within your country, you can reroute all, say, Skype users to a fake [login page] and collect their usernames and passwords, regardless of the SSL encryption seemingly in place. Or you can read their email when they go to Yahoo, Gmail or Hotmail. Even most geeks wouldn’t notice this was going on.”
Comodo said that Massimo Penco, a vice president of Comodo based in Italy, was on the phone within 15 minutes of being alerted March 15, telling partners in New Jersey to lock the system. “Someone issued a certificate for Google, but we didn’t have a request [for a certificate] from Google.” Within hours, the certificates were revoked, but the issue was not made public until a week later to give Comodo more time to fully check things out. Besides revoking the certificates, Comodo issued updates to popular Internet browsers that would warn users if they were not accessing the intended site.
The “clinical accuracy” with which the perpetrator executed its attacks, says Comodo’s fraud incident report, is one of several pieces of circumstantial evidence that the attack was state-driven, likely by the Islamic Republic. While the usual cyber-criminal would infiltrate a financial system, the perpetrator of this attack targeted methods of communication, which would be useful for spying on users—particularly if they belong to a dissident group—but not financially beneficial.
The addition of the Mozilla add-ons to the certificates breached, speculates Symantec researcher Eric Chien, might be because the add-ons could be used by dissidents to bypass regime censorship filters.
“All things point to the Iranian government and their newly founded cyber warfare department,” said Abdulhayoglu. He didn’t say why he was ruling out China, Burma or some other autocratic state that has been trying like Iran to spy on its citizens using the Internet.
Brigadier General Ali Fazli, deputy commander of the Basij, publicly announced last month that his forces plan to launch cyber attacks on the enemies of the Islamic Republic. (See Iran Times of March 18.)
It is plausible, though far from certain, that this incident is connected to Fazli’s comments. Earlier in the month, the Supreme Leader’s representative to the Pasdaran—of which the Basij is a branch—boasted that the Pasdaran had already attacked the Voice of America website and that the Iranian Cyber Army, which has been seen attacking different websites such as Twitter for more than two years, was part of the Pasdaran.
Nevertheless, a solo hacker—who claimed to be Iranian—took responsibility for the breach Sunday in a post on the text-storage website, Pastebin.com, saying, “We have no relation to Iranian Cyber Army… we just hack and own… I’m a single hacker with [the] experience of 1,000 hackers.”
The self-proclaimed 21-year-old “ComodoHacker” says he alone broke into InstantSSL.it, Comodo’s Italian certificate selling service, decompiled a file to obtain the username and password for issuing certificates and was able to issue the nine certificates within 15 minutes of getting the log-in information.
A few analysts such as Robert Graham, CEO of Errata Security, believe that claim, but many others have doubts. “As a pentester [computer security checks done by simulated attacks] who does attacks similar to what the ComodoHacker did, I find it credible,” Graham said. “I find it probable that (1) this is the guy, (2) he acted alone, (3) he is Iranian, (4) he’s patriotic but not political.” The reason why he did not go after Paypal or similar websites collecting financial data is that he started with a different goal “and ended up reaching a related goal forging certificates. He didn’t think of PayPal because he wasn’t trying to do anything at all with the forged certificates,” Graham added.
Mikko Hypponen however said it was still odd for an individual to create certificates for communication systems or sites. While the ComodoHacker’s comments “look convincing,… whether they were posted by a 21-year-old lone gunman or the Iranian government PR department, I don’t know,” he said. The fraud incident report by Comodo placed the likely perpetrator as the Iranian government.
ComodoHacker claimed to be seeking retribution for the Stuxnet worm or malicious software he asserts was authored by the US and Israel to impede Iran’s nuclear program. But the hacker didn’t attack the US or Israeli governments. He stuck private communications systems.
ComodoHacker said, “Anyone inside Iran with problems, from fake Green Movement to all MKO members and two-faced terrorists, should [be] afraid of me personally. I won’t let anyone inside Iran, harm people of Iran, harm my country’s Nuclear Scientists, harm my Leader (which nobody can), harm my president.” He signed his post with “Janam Fadaye Rahbar,” meaning “I will sacrifice my soul for my leader.”