Iranian hacker claims sole responsibility for Comodo theft

A lone Iranian hacker has claimed responsibility for the recent hack on an affiliate of certificate authority Comodo and subsequent theft of nine SSL certificates, despite experts initially believing the attack was carried out by the Iranian government.

In a posting on Pastebin over the weekend, the self-titled 'Comodo Hacker' explained that he had "no relation to Iranian Cyber Army".

The hacker came across Comodo affiliate InstantSSL.it while investigating how to hack a certificate authority, and found a way of decompiling DLL code on its site.

The hacker then came across a plain text user name and password which was used to generate some false certificate signing requests, which were then sent to Comodo.

In a rambling but convincing explanation full of pro-Iranian posturing, the hacker said that he then launched an attack on the US and Israel for the countries' alleged involvement with the Stuxnet attack.

"My message to people who have problem with Islamic Republic of Iran, SSL and RSA certificates are broken, I did it one time, make sure I'll do it again, but this time nobody will notice it," the hacker wrote.

"If you was doing a dirty business in internet inside Iran, I suggest you to quit your job, listen to sound of most of people of Iran, otherwise you'll be in a big trouble, also you can leave digital world."

Firefox, Chrome and Internet Explorer were all patched in the aftermath of the incident to deal with the fake certificates that were generated.

Comodo chief executive Melih Abdulhayoglu initially told V3.co.uk that he believed the attack came from the Iranian government.

This is because the targets for attack were internet infrastructure rather than financial companies, and because the hacker would have required high level DNS access to achieve the desired effect of pushing internet traffic to fake sites accredited with the stolen certificates.

Chester Wiesniewski, senior security advisor for Sophos Canada, explained that the incident highlights what can happen when companies have insecure passwords and password handling.

"Fortunately the impact of this incident is quite small and may be a wake-up call for the certificate industry as a whole," he wrote.

"As Mozilla pointed out in a blog post, the practice of directly signing certificates with the root certificate, as Comodo had been doing, is really bad practice."

While the ‘Comodo Hacker' claims to be acting alone, there is still no definitive proof that the individual was not working under orders from the Iranian authorities.

One of the difficulties in establishing the involvement of the Chinese authorities in hacking attacks, for example, is that the attacks are often carried out by those with no direct involvement in the government, but to whom the authorities have covertly lent some kind of support and guidance.