Nation-state actors risk destroying trust in the internet


By Martin Lee, Manager, Cisco Talos EMEA

The internet was developed as a means of connecting trusted environments. The entire system was built on trust: Trust that the many routers involved in transporting network traffic would diligently forward it to the intended destination. Trust that the destination was not a malicious system masquerading as the intended system. And trust that this network traffic would not adversely affect its destination. The protocols designed and built in this era of trust served the internet well, allowing it to grow.

Inevitably, as more systems and users connected to the internet, the element of blind trust was lost. Networks became increasingly secured as firewalls and intrusion prevention systems were developed and deployed in order to keep out untrustworthy connections, and overtly malicious traffic. Yet the internet has thrived, and become an integral part of our lives.

This is why it is so concerning when we discover nation-state threat actors undermining the DNS system — the protocol that allows us to turn human-readable domain names into machine-readable IP addresses. It is essentially the phone book of the internet.

Over the past year, Cisco Talos has identified two separate nation-state campaigns targeting DNS. In what we called "DNSpionage," attackers modified the DNS information of public and private sector organisations. In another campaign "Sea Turtle," a threat actor compromised entire top-level registries to take control of the entire name servers for the domains of national security organizations, ministries of foreign affairs and prominent energy organizations.

Attacking the DNS system means that one of the fundamental tenets of the internet, the assumption that any network request will connect to the intended destination, is no longer guaranteed. An internet where this tenet is no longer true is an internet that we will no longer be able to use for financial transactions, controlling critical national infrastructure, or communicating with our loved ones or work colleagues.

These kinds of attacks are why we must call out the threat actors on their irresponsibility for attacking these systems. We must make it clear that there are limits for offensive cyber operations carried out by nation states, or we risk destroying an invention that benefits lives across the globe.

We must work together with organizations across the public and private sectors to establish behavioural norms that can be legally enforced. As with any crime, we must work together to identify those who conducted this activity so that they can be called to account for their actions, and appropriate measures applied to sanction the behavior and deter others from conducting the same disruptive activity.

Sustaining Partners