Skip to main content
The Globe and Mail
Support Quality Journalism
The Globe and Mail
First Access to Latest
Investment News
Collection of curated
e-books and guides
Inform your decisions via
Globe Investor Tools
Just$1.99
per week
for first 24 weeks

Enjoy unlimited digital access
Enjoy Unlimited Digital Access
Get full access to globeandmail.com
Just $1.99 per week for the first 24 weeks
Just $1.99 per week for the first 24 weeks
var select={root:".js-sub-pencil",control:".js-sub-pencil-control",open:"o-sub-pencil--open",closed:"o-sub-pencil--closed"},dom={},allowExpand=!0;function pencilInit(o){var e=arguments.length>1&&void 0!==arguments[1]&&arguments[1];select.root=o,dom.root=document.querySelector(select.root),dom.root&&(dom.control=document.querySelector(select.control),dom.control.addEventListener("click",onToggleClicked),setPanelState(e),window.addEventListener("scroll",onWindowScroll),dom.root.removeAttribute("hidden"))}function isPanelOpen(){return dom.root.classList.contains(select.open)}function setPanelState(o){dom.root.classList[o?"add":"remove"](select.open),dom.root.classList[o?"remove":"add"](select.closed),dom.control.setAttribute("aria-expanded",o)}function onToggleClicked(){var l=!isPanelOpen();setPanelState(l)}function onWindowScroll(){window.requestAnimationFrame(function() {var l=isPanelOpen(),n=0===(document.body.scrollTop||document.documentElement.scrollTop);n||l||!allowExpand?n&&l&&(allowExpand=!0,setPanelState(!1)):(allowExpand=!1,setPanelState(!0))});}pencilInit(".js-sub-pencil",!1); // via darwin-bg var slideIndex = 0; carousel(); function carousel() { var i; var x = document.getElementsByClassName("subs_valueprop"); for (i = 0; i < x.length; i++) { x[i].style.display = "none"; } slideIndex++; if (slideIndex> x.length) { slideIndex = 1; } x[slideIndex - 1].style.display = "block"; setTimeout(carousel, 2500); }

Three senior Western security officials say cyberattacks targetting at least 30 organizations are believed to be the work of hackers acting in the interests of the Turkish government.

Ali Unal /The Associated Press

Sweeping cyberattacks targeting governments and other organizations in Europe and the Middle East are believed to be the work of hackers acting in the interests of the Turkish government, three senior Western security officials said.

The hackers have attacked at least 30 organizations, including government ministries, embassies and security services as well as companies and other groups, according to a Reuters review of public internet records. Victims have included Cypriot and Greek government e-mail services and the Iraqi government’s national security adviser, the records show.

The attacks involve intercepting internet traffic to victim websites, potentially enabling hackers to obtain illicit access to the networks of government bodies and other organizations.

Story continues below advertisement

According to two British officials and one U.S. official, the activity bears the hallmarks of a state-backed cyber espionage operation conducted to advance Turkish interests.

The officials said that conclusion was based on three elements: the identities and locations of the victims, which included governments of countries that are geopolitically significant to Turkey; similarities to previous attacks that they say used infrastructure registered from Turkey; and information contained in confidential intelligence assessments that they declined to detail.

The officials said it wasn’t clear which specific individuals or organizations were responsible but that they believed the waves of attacks were linked because they all used the same servers or other infrastructure.

Turkey’s Interior Ministry declined to comment. A senior Turkish official did not respond directly to questions about the campaign but said Turkey was itself frequently a victim of cyberattacks.

The Cypriot government said in a statement that the “relevant agencies were immediately aware of the attacks and moved to contain” them. “We will not comment on specifics for reasons of national security,” it added.

Officials in Athens said they had no evidence the Greek government e-mail system was compromised. The Iraqi government did not respond to requests for comment.

The Cypriot, Greek and Iraqi attacks identified by Reuters all occurred in late 2018 or early 2019, according to the public internet records. The broader series of attacks is ongoing, according to the officials as well as private cybersecurity investigators.

Story continues below advertisement

A spokeswoman for the UK’s National Cyber Security Centre, which is part of the GCHQ signals intelligence agency, declined to comment on who was behind the attacks. In the United States, the Office of the Director of National Intelligence declined to comment on who was behind the attacks and the Federal Bureau of Investigation did not respond to a request for comment.

HIJACKED

The attacks highlight a weakness in a core pillar of online infrastructure that can leave victims exposed to attacks that happen outside their own networks, making them difficult to detect and defend against, cybersecurity specialists said.

The hackers used a technique known as DNS hijacking, according to the Western officials and private cybersecurity experts. This involves tampering with the effective address book of the internet, called the Domain Name System (DNS), which enables computers to match website addresses with the correct server.

By reconfiguring parts of this system, hackers were able to redirect visitors to imposter websites, such as a fake e-mail service, and capture passwords and other text entered there.

Reuters reviewed public DNS records, which showed when website traffic was redirected to servers identified by private cybersecurity firms as being controlled by the hackers. All of the victims identified by Reuters had traffic to their websites hijacked – often traffic visiting login portals for e-mail services, cloud storage servers and online networks – according to the records and cybersecurity experts who have studied the attacks.

The attacks have been occurring since at least early 2018, the records show.

Story continues below advertisement

While small-scale DNS attacks are relatively common, the scale of these attacks has alarmed Western intelligence agencies, said the three officials and two other U.S. intelligence officials. The officials said they believed the attacks were unrelated to a campaign using a similar attack method uncovered in late 2018.

As part of these attacks, hackers successfully breached some organizations that control top-level domains, which are the suffixes that appear at the end of web addresses immediately after the dot symbol, said James Shank, a researcher at U.S. cybersecurity firm Team Cymru, which notified some of the victims.

VICTIMS

Victims also included Albanian state intelligence, according to the public internet records. Albanian state intelligence had hundreds of usernames and passwords compromised as a result of the attacks, according to one of the private cybersecurity investigators, who was familiar with the intercepted web traffic.

The Albanian State Information Service said the attacks were on non-classified infrastructure, which does not store or process any “any information classified as ‘state secret’ of any level.”

Civilian organizations in Turkey have also been attacked, the records show, including a Turkish chapter of the Freemasons, which conservative Turkish media has said is linked to U.S.-based Muslim cleric Fethullah Gulen accused by Ankara of masterminding a failed coup attempt in 2016.

The Great Liberal Lodge of Turkey said there were no records of cyberattacks against the hijacked domains identified by Reuters and that there had been “no data exfiltration.”

Story continues below advertisement

“Thanks to precautions, attacks against the sites are not possible,” a spokesman said, adding that the cleric has no affiliation with the organization.

The cleric has publicly denied masterminding the attempted coup, saying “it’s not possible,” and has said he is always against coups.

A spokesman for Gulen said Gulen was not involved in the coup attempt and has repeatedly condemned it and its perpetrators. Gulen has never been associated with the Freemason organization, the spokesman added.

Our Morning Update and Evening Update newsletters are written by Globe editors, giving you a concise summary of the day’s most important headlines. Sign up today.

Report an error
Due to technical reasons, we have temporarily removed commenting from our articles. We hope to have this fixed soon. Thank you for your patience. If you are looking to give feedback on our new site, please send it along to feedback@globeandmail.com. If you want to write a letter to the editor, please forward to letters@globeandmail.com.

Welcome to The Globe and Mail’s comment community. This is a space where subscribers can engage with each other and Globe staff. Non-subscribers can read and sort comments but will not be able to engage with them in any way. Click here to subscribe.

If you would like to write a letter to the editor, please forward it to letters@globeandmail.com. Readers can also interact with The Globe on Facebook and Twitter .

Welcome to The Globe and Mail’s comment community. This is a space where subscribers can engage with each other and Globe staff. Non-subscribers can read and sort comments but will not be able to engage with them in any way. Click here to subscribe.

If you would like to write a letter to the editor, please forward it to letters@globeandmail.com. Readers can also interact with The Globe on Facebook and Twitter .

Welcome to The Globe and Mail’s comment community. This is a space where subscribers can engage with each other and Globe staff.

We aim to create a safe and valuable space for discussion and debate. That means:

  • Treat others as you wish to be treated
  • Criticize ideas, not people
  • Stay on topic
  • Avoid the use of toxic and offensive language
  • Flag bad behaviour

Comments that violate our community guidelines will be removed.

Read our community guidelines here

Discussion loading ...

To view this site properly, enable cookies in your browser. Read our privacy policy to learn more.
How to enable cookies