On 15 March, someone using an IP traced to Iran managed to access a Comodo certificate affiliate’s registration authority server and issue 9 security certificates in 7 DNS domains, only 1 of which has been seen in use on the Internet according to Comodo’s public incident report.
The Comodo incident report states:
What Didn’t Happen
- Our CA infrastructure was not compromised.
- Our keys in our HSMs were not compromised.
- No other RA was compromised. No other RA user accounts were compromised.
A security certificate issuing company that had any of these things compromised would soon be out of business, so there’s just that tiny little skeptic’s voice asking, “I wonder what really happened”.
Comodo has interpreted the attack as an Iranian-state sponsored attack that “was executed with clinical accuracy”. The attacker had control of DNS infrastructure and the attack was to solicit certificates that would have allowed the attacker to masquerade as sites such as Google, Yahoo, Skype, Mozilla and Microsoft; sites providing search, communications and e-mail–infrastructure sites rather than financial houses or credit card companies.
See Comodo’s Data Security Blog for more details.
Someone has taken credit for the attack and for compromising a second registration authority, posting decompiled code as proof.