Cyber Incident Victim: Hellenic Ministry of Foreign Affairs
Date:
Jan 2018
Location:
Greece
Summary
A cyber espionage campaign attributed to hackers acting in Turkey's interests targeted the Hellenic Ministry of Foreign Affairs and other European and Middle Eastern government entities through DNS hijacking techniques. Attackers redirected victims to fraudulent websites to harvest credentials, compromising email systems and potentially accessing sensitive networks. The operation impacted multiple national security agencies, diplomatic services, and private organizations, with evidence suggesting infrastructure linked to Turkish actors. While Greek officials reported no confirmed compromise of their systems, the coordinated attacks exploited vulnerabilities in global internet infrastructure to facilitate large-scale credential theft across geopolitical rivals of Turkey.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
The cyberattacks targeting the Hellenic Ministry of Foreign Affairs occurred within a broader campaign spanning Europe and the Middle East, with activity first observed in late 2018 and continuing into early 2019. Attackers employed DNS hijacking techniques to redirect victims’ internet traffic to imposter websites, specifically targeting login portals for government email services, cloud storage systems, and online networks. This method involved tampering with the Domain Name System (DNS), enabling unauthorized interception of credentials and sensitive data entered on spoofed pages. Public internet records reviewed by Reuters confirmed the Greek government’s email systems were among at least 30 organizations compromised, alongside Cypriot government services, Iraq’s national security advisor, and Albanian state intelligence. Western security officials attributed the attacks to hackers acting in Turkey’s geopolitical interests, citing victim profiles aligned with Turkish foreign policy objectives, infrastructure linked to prior Turkey-associated operations, and classified intelligence assessments. The campaign’s operational infrastructure reused identical servers across multiple incidents, indicating coordination.
Greek officials stated they had no evidence of email system compromise, contradicting Reuters’ findings of traffic redirection to attacker-controlled servers. The Cypriot government acknowledged the attacks and implemented containment measures through its national security agencies but withheld technical specifics. Impacts included the theft of hundreds of usernames and passwords from Albanian intelligence, though Albania clarified breached systems held no classified data. Turkish civilian entities, including a Freemasons group erroneously linked to cleric Fethullah Gulen, were also targeted. The attacks exploited vulnerabilities in global DNS infrastructure, complicating detection as breaches occurred outside victims’ networks. Private cybersecurity firms like Team Cymru notified some victims after identifying domain hijacks, including compromises of top-level domain administrators. Western intelligence agencies monitored the campaign’s scale with concern but distinguished it from a separate 2018 DNS hijacking operation. Turkish authorities declined to comment on attribution claims, citing their own frequent targeting by cyberattacks, while U.S. and UK agencies offered no official assessment. The incident remained unresolved, with officials confirming ongoing attacks beyond early 2019.