An Iranian hacker has claimed that he single handedly compromised an affiliate of Comodo and created fraudulent SSL certificates for existing domains including mail.google.com, www.google.com, login.yahoo.com and addons.mozilla.org.
It was known that the attack could have come from Iran (as the IP addresses used during the attack belonged to an Iranian ISP) but it was unclear if these addresses were the real the originating addresses or part of a false trail. It was also suggested that the attack was state sponsored due to the nature of the attack and because of the domain names chosen for the fake SSL certificates.
However the hacker says “I’m not a group of hacker, I’m single hacker with experience of 1000 hackers, I’m single programmer with experience of 1000 programmers, I’m single planner/project manager with experience of 1000 project managers, so you are right, it’s managed by a group of hackers, but it was only I with experience of 1000 hackers.”
The hacker, who claims to be 21, goes on a say that the attack was because of Stuxnet, “When USA and Israel creates Stuxnet, nobody talks about it, nobody blamed, nothing happened at all, so when I sign certificates nothing should happen, I say that, when I sign certificates nothing should happen. It’s a simple deal.”
The initial post was then followed up with a sample of code which the author claims to be source code from the compromised Comodo reseller.
“Initially it was unclear if this guy was for real, and of course it is still impossible to tell” said Chester Wisniewski from Sophos. “The one remaining mystery is this: If it was a lone hacker making a point, why issue certificates for these specific websites, all related to secure communication methods often used by dissidents to organize protests and share news with the world?”