For GoDaddy, past breaches went from bad to worse.
Source code was stolen. Malware was installed on servers running the web hosting control panel customers use to manage their sites and shared servers. Customer websites were randomly redirected to malicious sites.
GoDaddy hasn’t revealed the potential impact of a multiyear intrusion of its systems the company disclosed last week, but there's a poor prognosis for the web hosting giant and its customers.
“Multiyear dwell times are a huge red flag,” Zane Bond, head of product at Keeper Security, said via email.
“With an attack lasting multiple years, it would be safe to assume that all customers are potential victims,” Bond said.
GoDaddy disclosed several data breaches in 2020 and 2021, including an incident that impacted up to 1.2 million customers. Details on those attacks and this latest incident were lumped together in a filing with the Securities and Exchange Commission.
Upon further inquiry into this matter, a spokesperson reiterated a key statement in the filing: “Based on our investigation, we believe these incidents are part of a multiyear campaign by a sophisticated threat actor group that, among other things, installed malware on our systems and obtained pieces of code related to some services within GoDaddy.”
The company declined to answer questions about how many customers are impacted nor what type of data might be compromised. GoDaddy ended last year with 21 million customers.
GoDaddy was tipped off to the latest malicious activity when customers complained about intermittent site redirects starting in early December. An investigation into the root cause of the incident is ongoing, GoDaddy said last week.
“We’ve been given concerning information, but also very little information, which indicates that the company may not know the full scope of the breach just yet,” Bond said.
Repeat attacks are common
GoDaddy isn’t the first major company to experience a multiyear breach or subsequent cyberattacks and it won’t be the last. Cyberthreat actors can and will hit the same digital targets multiple times.
“Follow-on attacks are very common,” Andrew Barratt, VP of technology and enterprise accounts at the cybersecurity advisory Coalfire, said via email.
Sometimes organizations are targeted multiple times by different threat actors, using different techniques, but often at the same time, he said.
“With adversaries, there is a concept of blood in the water when a company or industry is successfully breached. Threat actors tend to swarm with similar, repeat attacks,” Bond said.
GoDaddy, in a statement released alongside its SEC filing, said it’s monitoring the threat actor’s behavior and blocking attempts from the criminal organization.
“I can’t speak to this specific breach as the details are not yet known but when we see recurring attacks on the same firm, it typically indicates that the original threat actor was not fully ousted from the environment,” Jess Burn, senior analyst at Forrester, said via email.
“This lack of confidence in eradication may also explain the delays we see in breach disclosure,” which damages trust among customers, employees, partners, insurers and regulators, Burn said.
The random site redirects discovered by customers in this latest incident provide further evidence GoDaddy doesn’t yet know how the threat actor got into its systems or the full extent of damage caused.
When attacks share identical characteristics, “it’s typically down to poor remediation of the initial root cause, or perhaps even that the initial root cause wasn’t fully understood,” Barratt said.
GoDaddy, in its 10-K filing, said the resolution and outcome of the 2020 and 2021 incidents remain uncertain.
“To date, these incidents as well as other cyberthreats and attacks have not resulted in any material adverse impact to our business or operations,” the company said. “But such threats are constantly evolving, increasing the difficulty of detecting and successfully defending against them.”