We use cookies to provide you with a better experience. If you continue to use this site, we'll assume you're happy with this. Alternatively, click here to find out how to manage these cookies

hide cookie message
80,258 News Articles

Solo Iranian hacker claims credit for Comodo attack

21-year-old 'patriotic but not political'

A solo Iranian hacker has claimed responsibility for stealing multiple SSL certificates belonging to some of the web's biggest sites, including Google and Gmail, Microsoft, Skype and Yahoo.

Early reaction from security experts was mixed, with some believing the hacker's claim, while others were dubious.

Last week, conjecture had focused on a state-sponsored attack, perhaps funded or conducted by the Iranian government, that hacked a certificate reseller affiliated with US-based Comodo.

On March 23, Comodo acknowledged the attack, saying that eight days earlier, hackers had obtained nine bogus certificates for the log-on sites of Microsoft's Hotmail, Google's Gmail, the internet phone and chat service Skype and Yahoo Mail. A certificate for Mozilla's Firefox add-on site was also acquired.

SSL certificates validate the legitimacy of a website to the browser, assuring users that they're connecting to the real site, and that the traffic between their browsers and the site is encrypted.

'Iran-sponsored attack'

Comodo CEO Melih Abdulhayoglu said last week that circumstantial evidence pointed to a state-backed attack, and claimed the Iranian government was probably behind it. "We believe these are politically motivated, state driven/funded attacks," said Abdulhayoglu.

He based his opinion on the fact that only Iran's government - which could jigger the country's DNS (domain name system) to funnel traffic through fake sites secured by the stolen certificates - would benefit.

In Abdulhayoglu's analysis, authorities could have used the certificates to dupe anti-government activists into believing they were at a legitimate Yahoo Mail, for example. In reality, however, the phony sites would have collected users' usernames and passwords, and thus given the government access to their email or Skype accounts.

The lone-hacker theory

However, a single hacker has taken responsibility for the Comodo attack, backing up his claim with decompiled code.

"I'm not a group of hacker [sic], I'm single hacker with experience of 1,000 hackers," wrote the attacker in a post on Pastebin.com. He called himself 'ComodoHacker' and said he's 21 years old.

ComodoHacker alleged that he had gained full access to InstantSSL.it, the Italian arm of Comodo's InstantSLL certificate selling service, then decompiled a DLL file he found on its server to uncover the reseller account's username and password.

With the username and password in hand, ComodoHacker said he was able to generate the nine certificates "all in about 10-15 minutes". His message was signed "Janam Fadaye Rahbar", which reportedly means "I will sacrifice my soul for my leader".

The InstantSLL.it website is currently offline.

'This is the guy'

Robert Graham, the CEO of Errata Security, believes ComodoHacker is telling a straight story.

"As a pentester who does attacks similar to what the ComodoHacker did, I find it credible," Graham said Sunday on the Errata blog. "I find it probable that (1) this is the guy, (2) he acted alone, (3) he is Iranian, (4) he's patriotic but not political."

Arguments against

But Mikko Hypponen, the chief research officer of Helsinki-based F-Secure, sounded skeptical.

"Do we really believe that a lone hacker gets into a [certificate authority], can generate any cert he wants... and goes after login.live.com instead of paypal.com?" asked Hypponen on Twitter .

Graham had an answer for Hypponen's question.

"[Comodo Hacker] started with one goal, that of factoring RSA keys, and ended up reaching a related goal, forging certificates," said Graham. "He didn't think of PayPal because he wasn't trying to do anything at all with the forged certificates."

ComodoHacker criticised the West - and Western media in particular - for quickly concluding that the Iranian government was involved when it had downplayed possible US and Israeli connections to Stuxnet, the worm that most experts believe was aimed at Iran's nuclear program.

He also threatened to unleash his skills against those he said were enemies of Iran.

"Anyone inside Iran with problems, from fake Green Movement to all MKO members and two-faced terrorists, should [be] afraid of me personally," said ComodoHacker. "I won't let anyone inside Iran, harm people of Iran, harm my country's Nuclear Scientists, harm my Leader (which nobody can), harm my President."

MKO, or the 'People's Mujahedin of Iran', is an Islamic group that advocates the overthrow of the current government of Iran.

"As I live, you don't have privacy in internet, you don't have security in digital world, just wait and see," ComodoHacker said.

Comodo was not available Sunday for comment on ComodoHacker's claims.

See also: Study proves security certificate warnings don't work


IDG UK Sites

Nexus 6 vs Sony Xperia Z3 comparison: Lollipop phablet takes on KitKat flagship smartphone

IDG UK Sites

Why people aren't upgrading to iOS 8: new features are for power users, not the average Joe

IDG UK Sites

Free rocket & space sounds: NASA launches archive of interstellar audio on SoundCloud

IDG UK Sites

iPad Air 2 review: Insanely fast and alarmingly thin. Speed tests, camera tests, beautiful...