ICANN hacked and its Centralized Zone Data Service (CZDS) compromised

ICANN falls for spear phishing attack

The Internet Corporation for Assigned Names and Numbers (ICANN) announced yesterday that their computer systems were compromised after some staff from ICANN fell victim to a spear phishing attack.  It said that the attackers had gained administrative access to some of its’s systems, including its Centralized Zone Data Service (CZDS).

ICANN

ICANN is responsible for the coordination of maintenance and methodology of several databases of unique identifiers related to the namespaces of the Internet, and ensuring the network’s stable and secure operation.  In short it is the keeper of the Internet Protocol identifiers. It maintains registry of Internet’s global Domain Name System, and is responsible for introduction of new generic top-level domains (TLDs),  ICANN also looks after the operation of root name servers. The numbering facilities ICANN manages include the Internet Protocol address spaces for IPv4 and IPv6, and assignment of address blocks to regional Internet registries.

CZDS

The Centralized Zone Data Service works within the ICANN and provides a centralized point for access to Zone Files provided by participating Top Level Domain Registries. As more and more generic TLD’s are added to internet, the work of CZDS has gone up.

The Attack

ICANN stated that the attack had been committed in late November using emails sent to staff members.  The specially crafted emails were sent to the employees were sent in such a way that they seem to have come from ICANN domain itself.  As a result of the attack, the email credentials of several ICANN staff members were compromised. Those credentials were then used to compromise other ICANN systems, including the CZDS.

All the zone files and user account details including emails id and passwords may have been compromised due to the intrusion in the CZDS.  ICANN has urged all the users to change their passwords to new ones.

Unauthorized access was also obtained to user accounts on two other systems, the ICANN Blog (blog.icann.org) and the ICANN WHOIS (whois.icann.org) information portal. No impact was found to either of these systems. From the ICANN statement

The Centralized Zone Data System (czds.icann.org)
The attacker obtained administrative access to all files in the CZDS. This included copies of the zone files in the system, as well as information entered by users such as name, postal address, email address, fax and telephone numbers, username, and password. Although the passwords were stored as salted cryptographic hashes, we have deactivated all CZDS passwords as a precaution. Users may request a new password at czds.icann.org. We suggest that CZDS users take appropriate steps to protect any other online accounts for which they might have used the same username and/or password. ICANN is providing notices to the CZDS users whose personal information may have been compromised.

The ICANN GAC Wiki (gacweb.icann.org)
Public information, the members-only index page and one individual user’s profile page was viewed. No other non-public content was viewed.

Based on our investigation to date, we are not aware of any other systems that have been compromised, and we have confirmed that this attack does not impact any IANA-related systems.