Cyber Incident Victim: Gandi SAS

On July 7, 2017, French domain registrar Gandi.net experienced a domain hijacking incident impacting 751 customer domains. Between 12:50 UTC and 13:30 UTC, an unauthorized actor altered DNS records for these domains after obtaining one of Gandi's backend passwords. This credential provided access to DNS management systems controlling 34 top-level domain extensions, including country-code TLDs such as .AU, .CH, .JP, .RU, and internationalized domain .XN–P1AI (.рф). The modified DNS configurations redirected web traffic to servers hosting SCRT and RIG exploit kits, which typically deliver malware payloads to vulnerable systems. The primary redirection window lasted approximately 40 minutes, though delayed DNS propagation caused some domains to continue redirecting users until 18:02 UTC. The attacker specifically targeted web traffic routing without interfering with email services associated with the domains.

The incident affected domains across multiple geographical regions due to the diversity of compromised TLDs. Gandi responded by resetting all passwords associated with TLD management systems, effectively terminating unauthorized access. No evidence suggested prolonged attacker persistence beyond the confirmed redirection period. The registrar's containment measures focused on credential rotation rather than infrastructure overhaul, indicating the compromise was limited to password-based access. While the exploit kits' specific payloads weren't detailed in available reports, their operational presence confirmed the attack's objective of malware distribution through hijacked web traffic. The relatively brief exposure window mitigated potential victimization scale, though delayed DNS propagation extended risks for subsets of affected domains.