Cyber Incident Victim: Cypriot government email services
Date:
Jan 2018
Location:
Cyprus
Summary
Hackers believed to be acting in Turkey's interests conducted cyberattacks targeting government email services in Cyprus, Greece, and Iraq, among other entities, using DNS hijacking to redirect traffic and steal credentials. The attacks, described as state-backed espionage by Western officials, also impacted Albanian intelligence and Turkish civilian organizations. Cypriot authorities confirmed awareness and containment measures, while other affected governments reported no significant compromises or provided no comment. The campaign exploited vulnerabilities in internet infrastructure to intercept login portals and cloud services, with activity ongoing since at least early 2018.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 2 motives | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
Between late 2018 and early 2019, Cypriot government email services were compromised as part of a broader cyber espionage campaign targeting at least 30 organizations across Europe and the Middle East. Hackers employed DNS hijacking techniques to redirect internet traffic from legitimate government websites to fraudulent servers under their control. This manipulation of the Domain Name System allowed attackers to intercept login credentials when users accessed email portals and other online services. Public internet records confirmed the Cypriot government’s email systems were among the victims, alongside Greek government email services, the Iraqi national security advisor’s office, and Albanian state intelligence agencies. The attacks exploited vulnerabilities in internet routing infrastructure, enabling unauthorized access without requiring direct breaches of victim networks. Security officials noted the campaign had been active since at least early 2018, with ongoing operations reported as of January 2020.
The Cypriot government acknowledged the incidents in a statement, confirming relevant agencies detected the attacks promptly and implemented containment measures. No operational specifics were disclosed due to national security concerns. Forensic analysis by cybersecurity firms revealed the attackers compromised non-classified systems, with Albanian intelligence confirming hundreds of credentials were stolen from non-secret infrastructure. While Greek officials denied evidence of email system compromise, the public DNS records documented traffic redirection affecting their services. The campaign’s scale alarmed Western intelligence agencies, which attributed the activity to actors advancing Turkish geopolitical interests based on victim profiles, infrastructure links to Turkey, and classified intelligence assessments. Turkey’s government declined to comment on the allegations but emphasized its own frequent targeting by cyberattacks. Private cybersecurity investigators confirmed the hijacked domains included Turkish civilian entities, though some organizations disputed experiencing operational impacts from the redirection attempts.