RNIDS would like to notify users of Serbian national domains and members of the public that on 5th February 2017, between 01:49 and 04:35 hours CET there was a security incident involving the registrar Ninet.
During this incident, unauthorised access was gained to Ninet’s systems, following which a large number of unauthorised requests for changes to domain name details were sent via the EPP protocol. A total of 924 national domains were affected by this incident. The unauthorised requests consisted only of changes to the NS records for the affected domains, that is, the domains were redirected to new addresses.
These changes gradually became visible on the Internet as the zone file was automatically updated, at 02:00, 04:00 and 06:00 CET, 5th February. During the incident, attempts to change the same data for a further 126 national domains were logged, but these attempts were unsuccessful as the domains concerned were in Locked status.
Ninet became aware of the unauthorised access on 5th February morning, when they noticed an unusually large number of notification of changes to domain data, which RNIDS’ system had automatically generated and sent to the email addresses of Ninet’s admins.
Ninet immediately set about reverting the NS records for the affected domains to their prior values. These changes were made between 09:17 and 11:48 CET and 13:46 and 21:05 CET. The data for a total of 889 domains were reverted in this way, while during Monday and Tuesday (by 7th February at 14:00 CET) unauthorised changes were cancelled for a few dozen remaining domains.
During this incident, RNIDS systems were not compromised, nor did they experience any downtime.
RNIDS will publish a report on the incident once it has gathered and considered all the relevant information.