Blog :: Security Operations

How to Protect Your Network Against the ‘Sea Turtle’ DNS Hijacking Campaign


A large-scale DNS hijacking campaign called ‘Sea Turtle’ has been spreading across more than 13 countries. With our FlowPro Defender, you can monitor your organization’s DNS activity.

First, Let’s Talk About DNS

Before we dive into the details about the Sea Turtle DNS hijacking campaign, we should talk a bit about DNS itself.

In the simplest terms, DNS is the phone book of the internet. When you type in a website address, it’s the job of your local DNS server to translate that address in to a computer-friendly IP address. This seems like a quick and easy thing for your computer to do, but there is a lot going on behind the scenes with each lookup that ensures you are not redirected to an unsafe website. This type of security issue is called DNS hijacking. Attackers will install malware on a user’s computer that changes the local DNS settings and reroutes the user to malicious sites.

There are also what are called Man-in-the-Middle attacks. Hackers will intercept communication between the user and their DNS server and provide a different destination IP, which in turn leads the user to a malicious website. This is a huge security risk, leading to your personal information being leaked and on a larger scale, important data being funneled out of your network.

Swimming Through Networks with Sea Turtle

Now that we know a bit more about DNS, How to Protect Your Network Against the ‘Sea Turtle’ DNS Hijacking Campaignwe can explore what exactly the Sea Turtle Hijacking Campaign is. Since January 2017, state-sponsored hackers have been behind a large-scale DNS hijacking campaign that has compromised at least 40 organizations in 13 countries.

While this campaign is primarily targeting the Middle East and North Africa, it’s still concerning for the rest of the world. Why? Because this campaign does not just meddle with private DNS servers like most DNS hijacking attempts, but instead messes with actual DNS registries and registrars. You can read more about this over at SCPress.

How Can You Help Me Monitor for This?

By default, Scrutinizer has a flow analytics algorithm that looks for excessive numbers of DNS hits.

While this is great, sometimes you need a little more help. That’s why our development team created our Flowpro Defender. Not only can the Defender run reports on DNS performance visibility, but you can also use the flow analytics algorithms that require the Defender, such as DNS Data Leak Detection, DNS Server Detection, and DNS Command and Control.

For example, using the DNS Command and Control Detection, we can monitor for DNS TXT messages that are used to send information over DNS by bypassing firewall restrictions. This is what your alarm for this event would look like:

DNS TXT alert

Here, our trusty Flowpro Defender is telling us that 117 DNS TXT messages containing over 577 bytes of data in the last five minutes were sent to an external IP. If we examine this alarm further by selecting the action menu and running a default flow report…

DNS Exfiltration report

We can learn more detail, such as the DNS TXT message itself, the QName of the site, and the amount of traffic. From here, you can run the report across a different time frame, change your filters to see if any other sources were affected, and even save the report and email it out. The possibilities are almost endless.

What else can you do? Always be aware of what is coming in through your email, as most DNS hijacking starts with a spear phishing attempt of some sort. If there is an attachment you don’t recognize or something does not seem quite right about an email, do not open any attachments. Forward the email to your security team and delete it from your inbox. If you have any questions about our FlowPro Defender or would like to give it a try, please do not hesitate to reach out to our support team for help.