Lone Iranian Claims Responsibility For SSL Hack

The recent theft of SSL certificates for major websites such as Google, Yahoo and Skype from certificate authority Comodo,was the work of a lone Iranian hacker, it has been claimed.

In a message posted on Pastebin.com on Sunday, a writer claiming to be a 21-year-old Iranian hacker said he was responsible for the incident, which was revealed last Wednesday.

Stuxnet revenge

“I’m not a group of hackers, I’m single hacker with experience of 1,000 hackers,” wrote a user calling himself ComodoHacker.

He claimed to have carried out the theft in revenge for the Stuxnet virus attack that disrupted centrifuge control systems at Iran’s Natanz uranium enrichment site last year. Forensic analyses have indicated that attack was probably the work of US and Israeli intelligence services.

“When USA and Israel creates Stuxnet, nobody talks about it, nobody blamed, nothing happened at all, so when I sign certificates nothing should happen, I say that, when I sign certificates nothing should happen,” wrote ComodoHacker.

“If you was doing a dirty business in internet inside Iran, I suggest you to quit your job, listen to sound of most of people of Iran, otherwise you’ll be in a big trouble, also you can leave digital world and return to using abacus.”

The hacker provided decompiled code from InstantSSL.it, the Italian branch of Comodo’s InstantSSL certificate-selling service, as proof of the authenticity of his remarks.

ComodoHacker said his motivations were patriotic in nature.

“Anyone inside Iran with problems, from fake Green Movement to all MKO members and two-faced terrorists, should be afraid of me personally,” he wrote. “I won’t let anyone inside Iran, harm people of Iran, harm my country’s Nuclear Scientists, harm my Leader (which nobody can), harm my President.” MKO is a dissident political party in Iran.

Last week Comodo Security acknowledged that InstantSSL had been compromised and that attackers had issued valid digital certificates for popular websites that would have potentially allowed them to spoof content and perform man-in-the-middle attacks.

Large sites affected

The nine fraudulent web certificates affected seven domains, including Microsoft Live service, Google’s mail system, Yahoo and Skype, Microsoft said in a 23 March security advisory.

Comodo has revoked these certificates, and the malicious certificates are listed in Comodo’s current Certificate Revocation List, according to Comodo. No Web browser should be accepting the incorrect certificates at this time, Comodo said.

The perpetrators would have been able to spoof content, perform phishing attacks or perform man-in-the-middle attacks only if they had control of the Domain Name System infrastructure as well, Comodo said.

Comodo said the attack originated from an IP address assigned to an Internet service provider in Iran. One certificate for Yahoo’s login page was tested using a server in Iran, but had already been revoked and was blocked from being used, according to Comodo’s incident report.

At the time Comodo said the attack was probably carried out by the Iranian government.

“We believe these are politically motivated, state-driven/funded attacks,” said Comodo chief executive Melih Abdulhayoglu.

Unlike a typical cyber-criminal, who would have targeted financial organisations, this particular attacker focused on communications infrastructure, Comodo noted at the time. The targeted domains would be of “greatest use” to a government attempting surveillance of Internet use by dissidents, especially considering the recent turmoil in North Africa and the Persian Gulf region, Comodo said.

Scepticism

Mikko Hypponen, the chief research officer of Helsinki-based F-Secure, was sceptical of ComodoHacker’s claims.

“Do we really believe that a lone hacker gets into a [certificate authority], can generate any cert he wants…and goes after login.live.com instead of paypal.com?” Hypponen said in a Twitter post.

Chester Wisniewski, a senior security advisor at IT security firm Sophos, was equally sceptical.

“If it was a lone hacker making a point, why issue certificates for these specific websites, all related to secure communication methods often used by dissidents to organise protests and share news with the world?” Wisniewski wrote in a blog post on Sunday. “His ramblings certainly show his support for Mahmoud Ahmadinejad and the current Iranian regime, but there are no conclusive ties to his government.”