Comodo, an issuer of digital certificates which verify the legitimacy of websites, has again publicly accused Iranian-sponsored hackers of a coordinated effort to steal digital certificates in order to conduct covert cyber intelligence operations.
The stolen digital certificates can be used to validate malicious websites that could then spread malware, intercept communications, or perform other criminal and surveillance activities.
The certificates were for some of the biggest companies on the Internet including Microsoft, Yahoo, Skype, and Google. Comodo officials believe the operation to steal the certificates are a state-supported action initiated by the Iranian government.
"We believe this is state-sponsored. It seems that they need these certificates, as we stated in March, they will not stop attacking," said Comodo president and chief executive Melih Abdulhayoglu, when asked about the recent DigiNotar event.
Last week, a falsely issued Google SSL certificate from DigiNotar had been discovered by Ali Borhani, an Iranian freelance web developer, and security auditors at Fox-IT were asked to conduct an investigation. They have released a preliminary analysis.
Early reports indicated that the bogus digital certificates may have been part of a ploy by the Iranian government to perform Man-in-the-Middle (MitM) attacks and gather intelligence on Iranian opposition groups.
"The days of wiretapping phone lines are gone, the days of reading emails or Facebook or intercepting Skype communication is here. The key to reading these communications are held by certification authorities. So that is why they have become the new target for states that have a need for intercepting communication," Abdulhayoglu said.
An MitM attack takes a request for an HTTPS encrypted site and inserts and intermediary website in the process while creating the encrypted link with the target system while still being able to monitor the data transferred before it is encrypted.
"We believe these are politically motivated, state-driven/funded attacks. One of the origins of the attack that we experienced is from Iran. What is being obtained would enable the perpetrator to intercept Web-based email/communication and the only way this could be done is if the perpetrator had access to the country's DNS infrastructure, and we believe it might be the case here," Abdulhayoglu said back in March after Comodo was similarly breached.
Trend Micro analysis reveals a strong Iranian connection to the bogus SSL certificates, as they seem to be being "used to spy on Iranian Internet users on a large scale."
"We found that Internet users in more than 40 different networks of ISPs and universities in Iran were met with rogue SSL certificates issued by DigiNotar. Even worse, we found evidence that some Iranians who used software designed to circumvent traffic censorship and snooping were not protected against the massive man-in-the-middle attack," the Trend Micro blog states.
As the investigations continue to demonstrate the widespread and serious nature of the compromised digital certificates, some analysts believe the incidents may have an impact on security that goes even beyond last year's infamous Stuxnet attack.
"The attack on Diginotar doesn't rival Stuxnet in terms of sophistication or coordination. However, the consequences of the attack on Diginotar will far outweigh those of Stuxnet. The attack on Diginotar will put cyberwar on or near the top of the political agenda of Western governments," blogged Kasperky Lab analyst Roel, who noted that over 500 bogus certificates are in the wild.
Stuxnet is a highly sophisticated designer-virus that wreaks havoc with SCADA systems which provide operations control for critical infrastructure and production networks, and leading theories indicate that the malware was probably produced to stifle Iran's nuclear warhead ambitions.
The Stuxnet virus attacks are thought to have caused severe damage to Iranian uranium enrichment facilities and reportedly set back the nation's nuclear program by as much as several years.
Iran is still struggling with the aftermath of the Stuxnet virus attacks more than a year after the infestation was discovered. The emergence of the Stuxnet virus and the continued compromise of digital certificate security may indicate a growing cyber conflict between Iran and western powers.