If unauthenticated postings on the Internet are to be believes—and we all know how that goes—the attacker who was behind a breach of the SSL affiliate registration authority Comodo earlier this year may be behind the recent compromise of Dutch SSL certificate authority DigiNotar. The attacker posted an announcement on Pastebin under the name “Comodohacker” claiming responsibility for the DigiNotar breach. In the message, the writer says the action was retaliation for the role of Dutch soldiers in Srebrenica in 1995, where more than 8,000 Muslims were killed by Serbian forces during the Bosnian War.
The same account was previously used earlier this year to describe the attack on SSL certificate authority Comodo. The attacker also claims to have infiltrated four more unnamed high-profile certificate authorities, and gained the ability to issue false certificates from them. He also claimed to have access to the widely-used certificate authority GlobalSign, and to have attempted an attack on StartCom.
“Comodohacker” has given interviews in the last year, and described himself as a 21 year-old Iranian student. Some security experts have also speculated that Comodohacker could be Turkish. However, the Iranian connection is interesting, especially since name of the IP addresses that used Google account information under the fraudulent Google certificate issued by DigiNotar were located in Iran.
In all, over 500 fraudulent certificates were issued from DigiNotar after its systems were compromised. DigiNotar’s auditor FOX-IT has found (PDF) that more than 300,000 unique IP addresses accessed Google accounts alone under the bogus certificate issued for Google. Supposedly-secure information on any of those sessions could, in theory, have been intercepted by a third party.