Report on July 7, 2017 incident

07.07.2017 - written by  in Domain names

[EDIT – 2017/07/10] A detailed incident report is now available.

Friday July 7 at 11:00 UTC (4:00 AM PDT), an unauthorized connection occurred at one of the technical providers we use to manage a number of geographic TLDs.

In all, 751 domains were affected by this incident, which involved an unauthorized modification of the name servers [NS] assigned to the affected domains that then forwarded traffic to a malicious site exploiting security flaws in several browsers.

We took corrective measures on all impacted domains starting around 12:50 UTC (5:50 AM PDT) and finishing around 13:30 UTC (6:30 AM PDT), returning the majority of affected domains to normal as quickly as possible.

Since these corrective measures also required an update to take place on the registry side, certain domain names were impacted for longer than the time frame between the beginning of the incident at 11:00 UTC and time of completion of our fix at 13:30 UTC. This was most notably the case for .es domain names. As of 18:02 UTC (11:02 AM PDT), all operations correcting the issue had been fully completed by the various registries involved.

As soon as we became aware of this incident, our technical teams and our provider have been working together closely to resolve the problem and to identify the source of the unauthorized modifications.

At the same time, our technical teams are working to verify all of our systems to ensure that none of Gandi’s infrastructure has been compromised. All of our analyses up to this point have assured us that this was not the case and that our systems are secure. We are currently looking into a possible security vulnerability with connections to our provider.

Switch, the registry for .ch domains, was also alerted to this incident, which allowed domains to be used to spread malicious software in “drive-by” style attacks. You can read the analysis done by Switch on their blog.

We also strongly encourage you to inform your customers of this situation so that they may take whatever action they deem necessary to protect their devices and data as well.

We are acutely aware of the negative impact of this situation on your online activity. As soon as the attack came to our attention, we immediately took all available actions to limit its impact as well as restore and secure your domains as quickly as possible. We would like to extend our sincere apologies to you for all negative impacts this incident may have had on you.


Full list of affected TLDs:
.ASIA, .AT, .AU, .CAT, .CH, .CM, .CZ, .ES, .GR, .HK, .IM, .IT, .JP, .LA, .LI, .LT, .LV, .MG, .MS, .MU, .NL, .NU, .NZ, .PE, .PH, .PL, .RO, .RU, .SE, .SH, .SI, .SX, .UA, .XN–P1AI (.рф).