ICANN was the target of what's known as a "spear phishing" attack, the group says, where an e-mail is sent to employees that looks to have come from inside the organization. By appearing as if they come from a trusted source, those e-mail trick targets into handing over passwords and other credentials.
Those details were used to access several ICANN computer systems of varying degrees of sensitivity. Those systems include WhoIs, the database that identifies who owns which Web site; the ICANN blog; an internal wiki; and what's known as the Centralized Zone Data Service, which contains the maps laying out the Internet's global addressing scheme.
But perhaps the most mission-critical system, says ICANN, wasn't breached. That's the Internet Assigned Numbers Authority. Known as IANA, that system keeps track of which Web sites and other digital assets are located where on the Internet.
"At this point, we have confirmed that the attack has not affected the IANA-related systems," says ICANN spokesperson Brad White. "They are separate systems with additional layers of security that were not breached." The source of the attack isn't yet clear.
Why is even the possibility of an IANA breach raising eyebrows?
Because hacker gaining control over IANA could be severely damaging to how the Internet works. Someone with malicious intent could rewrite the tables that keep the Internet organized. That's a bit like a terrorist organization taking over every airport control tower in the world at once, rerouting planes or simply grounding them. While everyone scrambled to find fix the system, Web sites could stop functioning and with it much of the world's global economy.
In a way, ICANN is in a race against hackers that has been a long time coming. The Internet at its founding was based largely on trust. IANA was, for many years, one person: a computer scientist named Jon Postel, who managed much of the early Internet's operations from his office at the University of Southern California. But that naming-and-numbering function was transferred to ICANN upon Postel's death in the late 1990s, as part of a Clinton administration-led push to make the emerging Internet safe for commerce.
ICANN has only lately taken steps to protect its most sensitive systems. So-called "two-factor authentication" involving a password and another credential, such as a fingerprint, was recently added to protect the IANA system.
That naming and numbering service is currently managed by ICANN under a contract with the U.S. Commerce Department, a legacy of the Clinton-era transition. The Commerce Department has recently taken steps to give up that contract, a move that has been opposed by some in Congress. But a shift in who ultimately will oversee IANA's existence likely would not affect day-to-day operations of the system.
As with the attack on Sony's e-mail system, the ICANN attack shows hackers being savvy about picking targets that can be leveraged to inflict maximum strategic damage, not simply financial gain.
ICANN says that it is still investigating the attack.