The attackers used "spear phishing" campaign to target sensitive systems operated by ICANN and sent spoofed emails disguised as internal ICANN communications to its staff members. The link in the emails took the staff to bogus login page, where they provided their usernames and passwords with the keys to their work email accounts.
The data breach began in late November 2014 and was discovered a week later, ICANN, which oversees the Internet's address system, said in a release published Tuesday. ICANN is the organization that manages the global top-level domain system.
"We believe a 'spear phishing' attack was initiated in late November 2014," Tuesday's press release stated. "It involved email messages that were crafted to appear to come from our own domain being sent to members of our staff. The attack resulted in the compromise of the email credentials of several ICANN staff members."
With those details, the hackers then successfully managed to access a number of systems within ICANN, including the Centralized Zone Data System (CZDS), the wiki pages of the ICANN Governmental Advisory Committee (GAC), the domain registration Whois portal, and the ICANN blog.
The CZDS is a service used by domain registries and other interested parties to request access to the DNS root zone files and sensitive data associated with users’ online accounts. This provided hackers access to zone files and sensitive information such as names, postal addresses, email addresses, fax and phone numbers, usernames and cryptographically hashed passwords of account holders who used those systems.
The zone files contain sensitive and valuable information, including domain names, the name server names associated with those domains and the IP addresses for the name servers.
In an email sent to every CZDS user, ICANN has warned that "the attacker obtained administrative access to all files in the CZDS including copies of the zone files in the system. The information you provided as a CZDS user might have been downloaded by the attacker. This may have included your name, postal address, email address, fax and telephone numbers, and your username and password."
Since the passwords were salted cryptographic hashes that are unlikely to use by the attacker, but ICANN is urging users to immediately change their accounts passwords just to be on the safer side. The organization is also providing notices to users whose personal information may have been compromised.
The organization has found no evidence of compromise of any Internet Assigned Numbers Authority (IANA) systems and the other systems. The IANA is also a part of ICANN which performs the actual management of the DNS root zone, globally-unique names and numbers.
"Based on our investigation to date, we are not aware of any other systems that have been compromised, and we have confirmed that this attack does not impact any IANA-related systems," ICANN stated.
ICANN had implemented enhanced security measures earlier this year, which likely helped prevent further damage from the cyber-attack, the officials investigating the issue said.