Open main menu
Date June 17, 2011. DigiNotar detected an intrusion into its Certificate Authority infrastructures on 19 July 2011.[1]
Suspected actor An independent Iranian hacker under the name of “Comodohacker”.[2] A report published by Fox-IT,[3] a security consultancy company hired by the Dutch government to investigate the breach against DigiNotar, found a link to an earlier attack conducted by the same actor against the Comodo Certificate Authority company. [4]
Target DigiNotar, a Dutch Certificate Authority company owned by Vasco Data Security Itl. DigiNotar was also providing certificates for the Dutch government.[5]
Target systems Servers managing the certificate authorities within the DigiNotar company.
Method The attacker entered the servers in DigiNotar’s external Demilitarized Zone (called DMZ-ext-net), exploiting them for exchanging files between internal and external systems. After breaching DigiNotar’s Secure-net, the hacker was able to penetrate deeper, reaching the Qualified-CA servers, which were exploited to issue accredited qualified as well as government certificates. [6]
Purpose The hacker described the attack as a political retaliation against the Dutch government for failing to prevent the Srebrenica genocide, which saw the death of 8,000 Muslims during the Bosnian conflict in 1995.[7]
Result After preliminary investigations, all certificates issued by DigiNotar have been deemed untrustworthy by major companies such as Microsoft,[8] Google and Mozilla.[9] As the intruder was able to delete all log files, the entity of the damages cannot be calculated and the exact number of fraudulent certificates issued by the hacker cannot be established.[10] The Fox-IT audit report on the incident provided a non-exhaustive list of 531 rogue certificates that has been issued by the malicious actor, comprehending Google, Facebook, Skype, and Microsoft. [11]
Aftermath Due to the impossibility to detect many of the rogue certificates issued since the breach suffered by DigiNotar, all of the certificates released by the company have been blacklisted.[12] Ultimately, the breach resulted in a huge loss of trust and the company dissolved by declaring bankruptcy.[13]
Analysed in Scenario 08: Certificate authority hack

Collected by: Samuele De Tomas Colatin

  1. P Bright, “Independent Iranian hacker claims responsibility for Comodo hack”, (28 March 2011), Ars Technica.
  2. E Mills, “Google users in Iran targeted in SSL spoof”, (30 August 2011), CNET.
  3. Fox-IT, “DigiNotar public report version 1”, (5 September 2011), Government of the Netherlands.
  4. T Espiner, “DigiNotar hack details revealed by Dutch government”, (2 November 2012), SC Media UK.
  5. S Frantzen, “DigiNotar breach - the story so far”, (1 September 2011), Sans InfoSec Diary Blog.
  6. D Fisher, “Final Report on DigiNotar Hack Shows Total Compromise of CA Servers”, (31 October 2012), Threatpost.
  7. COMODOHACKER, “Striking Back…”, (5 September 2011), Pastebin.
  8. MSRC Team, “Microsoft updates Security Advisory 2607712”, (6 September 2011), Microsoft TechNet Blog.
  9. C Arthur and Agencies, “DigiNotar SSL certificate hack amounts to cyberwar, says expert”, (5 September 2011), The Guardian.
  10. J Leyden, “Inside 'Operation Black Tulip': DigiNotar hack analysed”, (6 September 2011), The Register.
  11. F Rosch, “DigiNotar SSL Breach Update”, (7 September 2011), Symantec Official Blog.
  12. K Zetter, “DigiNotar Files for Bankruptcy in Wake of Devastating Hack”, (20 September 2011), Wired.
  13. ENISA, “Operation Black Tulip: Certificate authorities lose authority”, ENISA report.