Sea Turtle: The State-Sponsored Campaign That Hijacked DNS to Spy on Governments
How "Sea Turtle," a state-sponsored campaign disclosed by Cisco Talos in 2019, hijacked DNS by compromising registrars, registries, and DNS providers — redirecting governments, ministries, and energy firms to attacker servers, forging valid certificates, and even breaching a national TLD registry.
- domains
- security
- dns
- domain-security
Most cyberattacks try to break into a target. The Sea Turtle campaign did something quieter and far more dangerous: it broke into the map that tells the entire internet where the target lives.
When you type a government ministry's web address, or send email to its officials, your computer first asks the Domain Name System — DNS — to translate that human-readable name into the numeric address of the right server. That lookup is so foundational that almost nothing on the internet verifies it. We simply trust that the name resolves to the place it's supposed to. Sea Turtle's operators understood that trust completely, and they spent more than two years abusing it to spy on governments across the Middle East and North Africa.
Disclosed by Cisco Talos in April 2019, Sea Turtle is one of the clearest case studies we have of DNS itself being weaponized as an instrument of nation-state espionage. The attackers didn't phish individual employees and hope. They went after the registrars, registries, and DNS providers that sit above their targets — the institutions that control how names resolve — and from that vantage point they rerouted the traffic of entire organizations, harvested credentials, and forged the cryptographic certificates that were supposed to make impersonation impossible.
DNS as a target for nation-state espionage
DNS is sometimes called the phone book of the internet, but that undersells it. It's closer to the postal routing system: every email, every login, every API call begins by resolving a name. If you control the resolution, you control the destination — and you can sit invisibly in the middle of conversations that both sides believe are private and direct.
That makes DNS an almost perfect espionage target. Compromising one DNS provider can expose the traffic of every organization that depends on it. And unlike malware on an endpoint, DNS manipulation leaves the victim's own machines untouched: there's nothing to scan, nothing to quarantine. The records simply point somewhere new.
Talos was blunt about the mechanism. As their report put it, DNS hijacking occurs when the actor can illicitly modify DNS name records to point users to actor-controlled servers. Simple to describe; devastating in practice.
The Sea Turtle campaign (2017–2019)
Sea Turtle was not a smash-and-grab. Talos assessed that the ongoing operation likely began as early as January 2017 and has continued through the first quarter of 2019 — more than two years of patient, persistent operations.
Over that span, by Talos's count, at least 40 different organizations across 13 different countries were compromised during this campaign. TechCrunch summarized the reach: the group had targeted 40 government and intelligence agencies, telecom firms and internet giants in 13 countries for more than two years, with victims found across countries including Armenia, along with Egypt, Turkey, Sweden, Jordan and the United Arab Emirates.
Talos declined to publicly attribute the campaign to a specific government but was confident about the caliber of the operator. As Craig Williams of Cisco Talos told TechCrunch, this is a new group that is operating in a relatively unique way that we have not seen before, using new tactics, techniques, and procedures, and the team assessed the group's primary motivations are to conduct espionage.
Who was targeted, and what was at stake
The victim list reads like an intelligence collection wishlist. Talos identified the primary targets as national security organizations, ministries of foreign affairs, and prominent energy organizations — exactly the institutions whose internal communications a hostile state would most want to read.
A second tier of victims was, in a sense, even more revealing. Talos found the attackers also hit numerous DNS registrars, telecommunication companies, and internet service providers. These weren't the ultimate prizes; they were the means. By owning the infrastructure providers, the attackers gained the leverage to manipulate DNS for the real targets downstream.
BleepingComputer's summary captured the prize cleanly: the main targets were ministries of foreign affairs, military organizations, intelligence agencies, energy companies. When you can silently intercept the email and login traffic of a foreign ministry, you don't need to break encryption — you can simply harvest the credentials and read the mail as it flows.
How it happened: hijacking the chain of trust
Here is what made Sea Turtle unusually sophisticated: the attackers rarely went straight at their victims. Instead they climbed the chain of trust.
The pattern, as reconstructed by Talos and corroborated by independent reporting, ran roughly like this. First, gain a foothold at a DNS provider, registrar, or registry — typically through spear-phishing or by exploiting a known vulnerability. With that access, modify DNS records to point legitimate users of the target to actor-controlled servers. Those servers were set up as a man-in-the-middle layer: per BleepingComputer, Sea Turtle operators set up a man-in-the-middle (MitM) framework that impersonated legitimate services used by the victim with the purpose of stealing login credentials. Victims would log in to what looked like their normal mail or VPN portal, and the attackers would capture legitimate user credentials when users interacted with these actor-controlled servers, then quietly relay them to the real service so nothing seemed amiss.
The cleverest — and most alarming — piece was how they defeated the padlock. Redirecting traffic is one thing; doing it without triggering a browser certificate warning is another. Sea Turtle solved this by obtaining genuine, valid certificates for the domains they were impersonating. Talos found the attackers obtained a certificate authority-signed X.509 certificate from another provider for the same domain, noting that these actors use Let's Encrypts, Comodo, Sectigo, and self-signed certificates in their MitM servers. Because they controlled the DNS records, they could pass the automated domain-validation checks that free certificate authorities rely on — and walk away with a legitimate green padlock for a domain they did not own.
Brian Krebs, documenting the closely related earlier wave, described the same playbook: the attackers appear to have changed the DNS records for these domains so that the domains pointed to servers in Europe that they controlled, and then were able to obtain SSL certificates for those domains from SSL providers Comodo and/or Let's Encrypt. One of the cited victims was mail.gov.ae, which handles email for government offices of the United Arab Emirates.
The registry compromises
The campaign's high-water mark was the compromise of organizations that don't just use DNS but run it for entire countries.
The first publicly confirmed case involved Sweden's Netnod. As Krebs reported, the attackers gained access to accounts at Netnod's domain name registrar, and Netnod itself stated it learned of its role in the attack on January 2. Crucially, Netnod was not the destination — it was a doorway. BleepingComputer noted Netnod said they were not the target of the attacks but a route for the attacker to "capture of login details for Internet services".
Talos described the broader significance in stark terms: the operators were responsible for the first publicly confirmed case against an organizations that manages a root server zone. When the people who run a piece of the internet's core address book can be silently impersonated, the assumption that DNS is trustworthy by default stops holding.
Response and aftermath: they didn't stop
DNS hijacking on this scale drew an official response. In January 2019, the U.S. Cybersecurity and Infrastructure Security Agency issued Emergency Directive 19-01, "Mitigate DNS Infrastructure Tampering" — the first emergency directive CISA had ever issued — ordering federal agencies to audit their DNS records, change credentials on DNS management accounts, and enable multi-factor authentication on those accounts. It was a tacit acknowledgment that DNS administration had become a frontline of national security.
What's most striking about Sea Turtle, though, is what happened after it was exposed. Most campaigns go quiet once a vendor like Talos publishes their tradecraft. Sea Turtle did the opposite.
In a July 2019 follow-up, Talos reported that the group had found new victims, including a country code top-level domain (ccTLD) registry, which manages the DNS records for every domain uses that particular country code. Specifically, The Institute of Computer Science of the Foundation for Research and Technology - Hellas (ICS-Forth), the ccTLD for Greece — the body that operates the .gr namespace — was compromised. SecurityWeek noted that even after ICS-Forth publicly acknowledged the breach, Cisco telemetry confirmed that the compromise persisted for at least another five days.
Talos's assessment of the group was unusually pointed: this group appears to be unusually brazen, and will be unlikely to be deterred going forward. They were right. Sea Turtle was not a one-off; it was a demonstration that DNS-layer espionage works, and that the people doing it are willing to keep going in the open.
What this teaches about DNS as critical infrastructure
Strip away the geopolitics and Sea Turtle leaves behind a set of uncomfortable lessons about how the internet's naming layer actually works.
-
DNS is a chain of trust, and you don't control all of it. Your security might be excellent. But your domain's resolution passes through a registrar and a registry, and if either is compromised, your records can be changed without ever touching your network. Sea Turtle proved attackers will deliberately target the link in the chain you have the least visibility into.
-
A valid certificate is not proof of a legitimate destination. The green padlock attests that the connection is encrypted to whoever controls the domain right now — and if an attacker has hijacked the DNS, that's them. Domain-validated certificates are only as trustworthy as the DNS they validate against.
-
DNS manipulation is nearly invisible to the victim. No malware runs on the victim's machines. Endpoint scanners see nothing. The only signal is that records are pointing somewhere they shouldn't — which is exactly why monitoring DNS records for unexpected changes, and locking them down, matters so much.
-
Registrar and registry account security is national-security infrastructure. CISA's first-ever emergency directive was, at its heart, about credentials on DNS management accounts. Multi-factor authentication, registry locks, and tightly controlled access to the accounts that can change DNS records are not hygiene niceties — they are the difference between owning a domain and merely appearing to.
The Namefi angle
Sea Turtle is, at its root, a story about who is allowed to change a domain's records — and how hard it is for the rest of the world to tell when that authority has been quietly stolen.
The traditional model concentrates that authority in registrar and registry accounts protected, too often, by little more than a password and an email address. When those accounts fall, control of the domain falls with them, silently. There is no built-in, independently verifiable record of who legitimately holds a name, and no tamper-evident trail when control changes hands.
Namefi approaches domain ownership as something that should be verifiable and tamper-resistant by design, while staying compatible with DNS. Tokenizing ownership creates an auditable, cryptographically anchored record of who controls a domain — making unauthorized transfers and silent takeovers far harder to pull off without leaving an obvious trace. It does not, by itself, stop a registry from being phished. But the broader lesson Sea Turtle drives home is the one Namefi is built around: domains are critical infrastructure, and the question of who really owns this name deserves a stronger answer than "whoever can log in to the control panel."
The campaign rerouted governments by exploiting the gap between holding a domain and proving you hold it. Closing that gap — making ownership verifiable, transfers auditable, and control continuity provable — is exactly the kind of resilience the naming layer still needs.
Sources and further reading
- Cisco Talos — DNS Hijacking Abuses Trust In Core Internet Service
- Cisco Talos — Sea Turtle keeps on swimming, finds new victims, DNS hijacking techniques
- TechCrunch — A new state-backed hacker group is hijacking government domains at a phenomenal pace
- Krebs on Security — A Deep Dive on the Recent Widespread DNS Hijacking Attacks
- BleepingComputer — ‘Sea Turtle’ Campaign Focuses on DNS Hijacking to Compromise Targets
- SecurityWeek — Sea Turtle's DNS Hijacking Continues Despite Exposure
- BankInfoSecurity — ‘Sea Turtle’ DNS Hijacking Group Conducts Espionage: Report
- CISA — Emergency Directive 19-01: Mitigate DNS Infrastructure Tampering
- SDxCentral — Cisco Talos Says a Nation State Is Behind Sea Turtle DNS Hijacking Attacks
- SecurityWeek — State-Sponsored Hackers Use Sophisticated DNS Hijacking in Ongoing Attacks
About the author(s)
Related guides
- The $12 Minute: When Someone Quietly Bought Google.comIn September 2015, a former Google employee bought google.com through Google Domains for $12 and held administrative control of the world's most valuable domain for about a minute. The story of Sanmay Ved, the $6,006.13 bounty, and what one minute of ownership reveals about who really controls a domain.
- Domain Mayday EP03: The 2020 Twitter Bitcoin Account TakeoverOn July 15, 2020, attackers phoned their way into Twitter, hijacked the verified accounts of Obama, Biden, Musk, Gates, Apple and Uber, and ran a Bitcoin doubling scam — netting about $118,000. A deep-dive on how control of an online identity was stolen, and what it teaches about owning a name.
- Domain Mayday EP05: The 2024 Squarespace DeFi Domain Mass-HijackIn July 2024, a registrar migration from Google Domains to Squarespace turned weak default authentication into a mass attack surface. Attackers hijacked the domains of crypto and DeFi projects — Compound Finance, Celer Network, Pendle, Unstoppable Domains — and pointed them at wallet-drainer phishing sites. Here is how a "seamless" migration created hundreds of unlocked front doors, and what it teaches about registrar security and MFA.
- The BadgerDAO Front-End Attack: $120M Drained Through One Injected ScriptIn December 2021, attackers compromised BadgerDAO's Cloudflare account and injected one malicious script into its website front-end. The audited smart contracts were never touched — yet ~$120M walked out the door through wallet approvals users signed without knowing. A deep-dive on why the website is part of your security surface.