Unknown hackers were able to compromise vital systems belonging to ICANN, the organization that manages the global top-level domain system, and had access to the system that manages the files with data on resolving specific domain names.
The attack apparently took place in November and ICANN officials discovered it earlier this month. The intrusion started with a spear phishing campaign that targeted ICANN staffers and the email credentials of several staff members were compromised. The attackers then were able to gain access to the Centralized Zone Data System, the system that allows people to manage zone files. The zone files contain quite bit of valuable information, including domain names, the name server names associated with those domains and the IP addresses for the name servers.
ICANN officials said they are notifying any users whose zone data might have been compromised.
“The attacker obtained administrative access to all files in the CZDS. This included copies of the zone files in the system, as well as information entered by users such as name, postal address, email address, fax and telephone numbers, username, and password. Although the passwords were stored as salted cryptographic hashes, we have deactivated all CZDS passwords as a precaution. Users may request a new password at czds.icann.org. We suggest that CZDS users take appropriate steps to protect any other online accounts for which they might have used the same username and/or password. ICANN is providing notices to the CZDS users whose personal information may have been compromised,” ICANN said in a statement.
ICANN is a key part of the Internet’s infrastructure, bearing responsibility for much of the work on the domain name system and for managing global TLDs. ICANN also operates the root name servers that are at the heart of the Internet’s name system. The group said that in addition to the CZDS system, the attackers also gained access to the ICANN blog system and its WHOIS portal, but no damage was found in either of those systems.
Officials said that ICANN had implemented enhanced security measures earlier this year, which likely helped prevent further damage from the attack.
“We are providing information about this incident publicly, not just because of our commitment to openness and transparency, but also because sharing of cybersecurity information helps all involved assess threats to their systems,” ICANN said.