Details of the hack that lead to man-in-the-middle attacks on hundreds of thousands of Iranians' Google accounts and ultimately the liquidation of certificate authority DigiNotar have been released by the Dutch government.
The 'Black Tulip' report (pdf) by security company Fox-IT charts how a hacker, believed to have been based in Iran, gained access to internal DigiNotar systems.
The hacker, who claimed responsibility for a hack on certificate authority Comodo, first gained access to web servers in DigiNotar's external Demilitarised Zone (DMZ-ext-net) on 17 June 2011.
From the DMZ, the hacker traversed office systems, and managed to tunnel into DigiNotar's Secure-net on 1 July 2011. The Secure-net contained the company's eight certificate authority servers. Specialised tools were used to create tunnels for a non-direct connection to the internet for remote access to the servers.
The hacker successfully issued the first rogue certificate on 10 July 2011. All of DigiNotar's certificate servers were compromised, including a server used to generate certificates for Dutch e-government services. In all, 531 rogue certificates were detected as having been created.
One rouge certificate for Google.com was used to perform a massive man-in-the-middle (MITM) attack on Iranian Google users. Users who tried to reach legitimate Google sites were redirected to fake versions of those sites. A total of 298,140 unique IP addresses were victimised during the MITM attack.
After an investigation into the DigiNotar hack attack, the Dutch government completely revoked trust in DigiNotar-issued certificates, forcing the company's bankruptcy in September 2011.
The 'Black Tulip' final report was published on 13 August 2012, and made public by the Dutch Ministry of the Interior on Monday. An interim report was published on 5 September 2011.