Cyber Incident Victim: Tajikistan Domain Registrar
Date:
Jan 2014
Location:
Tajikistan
Summary
A Tajikistani domain registrar was compromised via a directory traversal vulnerability, enabling an attacker to alter DNS records for high-profile domains including Google, Yahoo, Twitter, and Amazon's country-specific extensions. The perpetrator, identified as Iranian hacker 'Mr.XHat,' redirected these domains to defaced pages and claimed root access to the registrar's MySQL database containing hashed customer credentials. By modifying administrative email addresses associated with the targeted domains, the attacker intercepted password recovery mechanisms to gain unauthorized access to customer control panels. The affected domains were restored to their original DNS configurations after approximately one day of disruption, with defacement mirrors preserved for reference.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
On January 6, 2014, Tajikistan’s national domain registrar (domain.tj) suffered a compromise attributed to an Iranian hacker using the alias 'Mr.XHat'. The attacker exploited a Directory Traversal vulnerability, a technique enabling unauthorized access to restricted directories and files, to infiltrate the registrar’s systems. This breach provided administrative control over the domain management interface, allowing the hacker to alter DNS records for multiple high-profile domains registered under the .tj country-code top-level domain. Specifically, the domains google.com.tj, yahoo.com.tj, twitter.com.tj, and amazon.com.tj were redirected to defaced pages for approximately one day. The attacker claimed root-level access to the registrar’s MySQL database, which stored customer passwords in hashed or encrypted formats, though no evidence indicated these passwords were decrypted or misused. Server details from the compromised system included a Linux kernel (2.4.21-27.ELsmp) running on outdated hardware, suggesting potential vulnerabilities due to unpatched software.
The attacker manipulated domain administration by changing the registered email addresses for the affected domains to his own, enabling him to trigger password recovery mechanisms and gain unauthorized access to customer control panels. Screenshots provided by the hacker confirmed receipt of plaintext passwords via email, facilitating further administrative actions. The defacement impacted users attempting to access the targeted services through Tajikistan’s localized domains, though the core infrastructure of Google, Twitter, Yahoo, and Amazon remained unaffected. By the time of public reporting, the registrar had restored the original DNS records, returning the domains to normal operation. Defacement mirrors archived on Zone-H (IDs 21452417, 21452420, 21452426, 21452428) preserved evidence of the incident. No additional technical details regarding detection methods, internal response timelines, or collateral damage beyond the named domains were disclosed in available sources. The incident highlighted risks associated with centralized domain registry systems and the potential for cascading impacts through DNS manipulation.