AMSTERDAM – Hackers who broke into a web security firm issued hundreds of bogus security certificates for spy agency websites including the CIA as well as for Internet giants like Google, Microsoft and Twitter, the Dutch government said Monday.
Information technology experts say they suspect the hackers were probably cooperating with the Iranian government, and hundreds of thousands of private communications between Iranian Internet users and Google were likely monitored in August.
Roel Schouwenberg of Internet security firm Kaspersky said Monday night that the incident could have a larger political impact than Stuxnet -- a computer worm discovered in July 2010 which targeted Siemens industrial software and equipment running on Microsoft Windows.
"A government operation is the most plausible scenario" he added.
The latest versions of browsers such as Microsoft's Internet Explorer, Google's Chrome and Mozilla's Firefox are now rejecting certificates issued by the firm that was hacked, DigiNotar.
In a statement Monday, the Dutch government released findings that greatly expand the scope of the hacking attack that DigiNotar first acknowledged last week. External IT experts reviewing DigiNotar's computer systems said the hack may have begun in June, not July as DigiNotar had previously asserted.
The experts said it had affected access not only to Google, but included 531 fake certificates for some 344 domains including sites operated by Yahoo, Facebook, Microsoft, Skype, AOL, Mozilla, TorProject, and WordPress, as well as spy agencies including the CIA, Israel's Mossad and Britain's MI6.
DigiNotar is one of many companies that sell the "SSL" security certificates widely used to authenticate websites and guarantee that communications between a user's browser and a website are secure.
In theory, a fraudulent certificate can be used to trick a user into visiting a fake version of a website, or used to monitor communications with the real sites without users noticing.
But in order to actually pass off a fake certificate, a hacker must be able to steer his target's Internet traffic through a server he controls. That's something that only an Internet service provider can easily do -- or a government that commands one.
The external review by Fox-IT -- A Dutch company, with offices in Aruba and Great Britain -- found that one fake certificate for Google.com was used 300,000 times between its activation Aug. 4 and when it was revoked on Aug. 29. Almost all usage came from Iran.
"The list of domains and the fact that 99 percent of the users are in Iran suggest that the objective of the hackers is to intercept private communications in Iran," it concluded.
The hack of DigiNotar closely resembles one in March of the U.S. security certificate issuer Comodo Inc., which was also attributed to an Iranian hacker. The Fox-IT report said that the hackers erased some evidence of their break-in but purposefully left behind at least one message in one script: "My signature as always, Janam Fadaye Rabhar," which means "I will sacrifice my soul for my leader" in the Farsi language spoken by Iranians.
The same signature line was used by the Comodo hacker, apparently in reference to Iran's religious leader Ayatollah Ali Khamenei.
In a blog posting, U.S. security firm Trend Micro described the attack as "massive," writing that according to its data "Internet users in more than 40 different networks of ISPs and universities in Iran were confronted with rogue SSL certificates issued by DigiNotar."
Gervase Markham, a Mozilla developer who has been involved in the response to the DigiNotar failure, warned Iranian Internet users to update their browsers, "log out of and back into every email and social media service you have" and change all passwords.
Ot van Daalen of Dutch online civil liberties group Bits of Freedom said he believed the DigiNotar incident will ultimately lead to a reform of authentication technology.
Although no users in the Netherlands are known to have been victimized directly by the hack, it has caused a major headache for the Dutch government, which relied on DigiNotar for authentication of many of its websites.
Interior Minister Piet Hein Donner announced in the early hours of Saturday morning that the safety of websites including the country's social security agency, police and tax authorities could no longer be guaranteed.
The Dutch government took over management of DigiNotar, a subsidiary of Chicago-based Vasco Inc., but kept the websites operating as it scrambles to find replacement security providers.
Donner said Monday he has reached a deal with Microsoft under which it won't block some of the web certificates in the Netherlands for the next week in order to prevent a widespread disruption of government services, which might prove worse than any potential hacking.
"The entire Internet is not a phenomenon that lends itself well to government rules," Donner said at a press conference.