Ontario Government website hijacked

If you can remember when MC Hammer was big you recall the ear-worm of a song that was his big hit called “U Can’t Touch This”. In the music video he danced around in cartoonish looking pants and generally have a good time. Well, the good times were not shared by the Province of Ontario on Friday, December 12 when some miscreants decided to post an copy of this video on the Ontario.ca home page with the title, “HACKED BY DEVIN BHARATH”. This is also the alleged name of one of the members of the Lizard Squad but, there is little credibility that this is was perpetrated by that person. 

The apparent defacement wasn’t in fact on a government of Ontario web server after all. In this case the domain name had been hijacked to point to a server that the government did not have any control over. Visitors to the site were greeted by a the video of Hammer and some random nonsense. This was by no means a sophisticated attack.

From CP24:

In a release issued Friday night, Zita Astravas, press secretary for Premier Kathleen Wynne, said it was a third-party domain routing service that was hacked, not the government’s sites.

“No personal information or any government data was compromised and the websites remain secure,” she said.

“Government IT experts are working with the external domain name hosting provider to restore access as quickly as possible.

It is really unclear based on this statement what “third-party domain routing service” the spokesperson was referring to in this case.

DNS hijacking is a problem that I’ve written about before and there is something simple that can be done to help address this issue. Domain registrars provide their customers with the ability to lock their domains to make it difficult to alter the records. Sadly, more often than naught we see websites being redirected servers controlled by miscreants because, well, they’ve figured this out as well. In this case however the registrar indicated that this was something specific to the DNS host and not the registrar.

I did quick search shows that they domain registrar in this case is an Ontario based company called easyDNS Technologies Inc. and the web server is hosted on Amazon’s EC2. I emailed the registrar and received a response. They provided a link to their public statement,

We are aware of the situation in which gov.on.ca and ontario.ca had their nameservers hijacked. easyDNS is the Registrar of record for these domains. easyDNS is not the DNS provider for them.

At this time we feel the need to keep this brief as there may potentially be an investigation into the attackers.

The attack vector method by which the domain was changed has been discovered and no longer exists.

This coupled with the advice that they provide to “Enable an account ACL Turn on all event notifications within your account, Enable 2-factor authentication, Use strong passwords with periodic resets.” caused me to speculate that the DNS provider (not easyDNS) had their passwords compromised as the result of a phishing email but, I have nothing to prove that at this point.

I also saw this email that was posted to the NANOG mailing list,

All resolver nameserver operators, if you could refresh your caches for gov.on.ca

There has been an incident where the government of ontario nameservers were briefly hijacked

We will post details to follow in the meantime, if you can refresh your caches, the proper records should be:

ens2.gov.on.ca 204.41.4.240 ens1.gov.on.ca 204.41.8.240

thank you all

– mark

The previous DNS servers were:

ons1.gov.on.ca 192.75.156.245 ons2.gov.on.ca 192.197.191.130

OK, so what is a take away here? The credentials needed to access domain registrars should be well protected. We’ve seen in many cases where credentials were captured by nefarious third parties by phishing attacks and the like.This is a weakness in the security of the digital supply chain and the attackers have learned to leverage it. Nothing is quite as easy to hack as a human. This is the root of the problem. No firewall to any sort of security control could have stopped this issue. Passwords for registrar accounts need to be well taken care of and ensure that there is a strong process in place to control access to it.

As to what happened with the DNS servers themselves, well, I’ll let you know if I hear back.

(Image used under CC from Alex Guibord)