As many organizations before it, the Internet Corporation for Assigned Names and Numbers (ICANN) has been compromised after some of its employees fell for cleverly constructed spear-phishing emails sent by the attackers.
ICANN, the nonprofit organization responsible for overseeing the use of Internet domains, is still actively investigating the extent of the breach and compromised information.
The attack happened in late November 2014, they noted in a statement released on Tuesday, and in its initial step took the form of email messages that appeared to be coming from the organization’s own domain.
Several staff members were fooled into handing over their email credentials over to the attackers. These credentials were then used by the hackers to access the Centralized Zone Data System (CZDS), the ICANN Governmental Advisory Committee (GAC) Wiki, the ICANN Blog and the ICANN WHOIS information portal.
The latter two were not affected in any way. Only public information and one individual user’s profile page were viewed on the Wiki site, but the attackers had access to a lot more on the Centralized Zone Data System: copies of the zone files in the system, and information entered by users such as name, postal address, email address, fax and telephone numbers, username, and password (stored as salted cryptographic hashes).
Once the breach was discovered, ICANN deactivated all CZDS passwords as a precaution, and notified all users whose personal information may have been compromised.
The good news is that systems related to the Internet Assigned Numbers Authority (IANA) were not compromised. IANA is the ICANN department that oversees, among other things, the global allocation of IP addresses, and manages the root zone in the Domain Name System (DNS).
“Earlier this year, ICANN began a program of security enhancements in order to strengthen information security for all ICANN systems. We believe these enhancements helped limit the unauthorized access obtained in the attack,” the organization reassured. “Since discovering the attack, we have implemented additional security measures.”