The hackers' victims include telecoms, internet service providers, and domain registrars responsible for implementing the domain name system.
Cisco Talos researcher Craig Williams says the Sea Turtle campaign is disturbing not only because it represents a series of brazen cyberspying operations but also because it calls into question that basic trust model of the internet.
The hackers would change the target organization's domain registration to point to their own DNS servers—the computers that perform the DNS translation of domains into IP addresses—instead of the victim's legitimate ones.
When users then attempted to reach the victim's network, whether through web, email, or other internet communications, those malicious DNS servers would redirect the traffic to a different man-in-the-middle server that intercepted and spied on all the communications before passing them on to their intended destination.
A disturbing element of the Sea Turtle hackers' approach—and DNS hijacking in general—is that the point of initial compromise occurs at internet infrastructure groups, entirely outside the real target's network.