Hackers Entered Multiple ICANN Databases

Parts of the Internet’s address system were successfully opened by spearphishers, who spoofed Internet Corporation for Assigned Names and Numbers staff email addresses to send other ICANN employees credential-stealing messages.

The nonprofit organization oversees domain names.

The attack “involved email messages that were crafted to appear to come from our own domain being sent to members of our staff. The attack resulted in the compromise of the email credentials of several ICANN staff members,” the organization said in a rather detailed and frank disclosure notice.

The credentials were used to gain access to other systems, including the Centralized Zone Data System (czds.icann.org), ICANN GAC Wiki (gacweb.icann.org), ICANN Blog (blog.icann.org) and WHOIS (whois.icann.org) information portal.

The attacker obtained administrative-level access to everything in the CZDS database. This included information entered by users such as names, postal addresses, email addresses, fax and telephone numbers, usernames, and encrypted passwords.

“Domain registries use the database to help manage the current allocation of hundreds of new generic top level domains (gTLDs) currently underway,” Ars Technica reports. Researchers told Ars the system stores mostly public information concerning technical details registries used to make sure the gTLDs they control are Internet accessible.

Inside the wiki, the hacker viewed public data, a members-only index page, and one person’s user profile page.

While the hacker obtained unauthorized access to the blog and WHOIS, no impact has been found.

The organization said security protections added earlier in the year helped limit the extent of the unauthorized access, in general.

“We are providing information about this incident publicly, not just because of our commitment to openness and transparency, but also because sharing of cybersecurity information helps all involved assess threats to their systems,” the notice states.