Finding Additional Indicators With a SeaTurtle Deep Dive in Passive DNS Within DomainTools Iris

This report examines the SeaTurtle DNS hijacking campaign, detailing how attackers compromised tertiary DNS vendors to steal signing certificates and flip NS/A records to actor-controlled nameservers and man-in-the-middle servers. Using passive DNS and DomainTools Iris data the authors expand Cisco Talos IoCs, listing additional malicious nameservers, domains, and IPs used across many governments and infrastructure providers, and recommend DNS monitoring, DNSSEC, and MFA to mitigate such attacks.