The story of a crime: notes on the DigiNotar break-in
The security specialists at Fox-IT have released a 101-page report that almost reads like a whodunit story. The subject is the break-in at Dutch certificate authority (CA) DigiNotar, which Fox-IT has been in charge of investigating. Last year, a clever hacker managed to break into DigiNotar's infrastructure over the internet and issue large numbers of SSL certificates for important domains like google.com, microsoft.com and skype.com
It became clear that the hacker was not doing it just for kicks when one of the Google certificates they had issued was used to spy on a large number of Iranian internet users. The report says that the attacker stored the break-in tools in the publically accessible directory
http://www.diginotar.nl/beurs on the DigiNotar web server and then gained access from a number of different systems in the CA's network.
The hacker managed to gain control of all eight CA servers which are not accessible via the internet by slowly but steadily tunneling their way through various surrounding network segments. Partly because of a note claiming responsibility left one of the servers, Fox-IT assumes that this hacker is the same one that previously targeted a Comodo reseller.
The attacker used proxies to hide their identity but, the report points out, seems to have accidentally connected to the DigiNotar network without a proxy once. A number of signs point to Iran as the intruder's location. Fox-IT removed the IP addresses that may lead directly to the intruder from the report in order to not endanger investigations currently underway, since the perpetrator is still at large. Meanwhile, the incident has already had major consequences for DigiNotar: the company was liquidated shortly after the disaster.