While disclosing a December 2022 attack on its infrastructure, GoDaddy realised that it has been under attack for the last three years. The first attack came in March 2020 when a threat actor compromised the hosting login credentials of about 28,000 hosting customers as well as the login credentials of some GoDaddy personnel. This was followed by an attack in November 2021 when its Wordpress service was breached.
Finally, the latest attack happened in December 2022. The company received “a small number of customer complaints about their websites being intermittently redirected”. Further investigation revealed that an unauthorised third party had gained access to servers in GoDaddy’s cPanel shared hosting environment and had installed malware causing website redirections.
As soon as the intrusion was confirmed, GoDaddy “remediated the situation and implemented security measures in an effort to prevent future infections”. They seemingly have evidence that the incident was carried out by “a sophisticated and organised group” targeting GoDaddy and similar services. According to the company, law enforcement has also confirmed this.
While not a lot is known about these attacks at the moment, the company claims that the apparent goal here is to infect websites and servers with malware to facilitate phishing campaigns, malware distribution and other related malicious activities.
GoDaddy has detailed the attacks mentioned above in the 10-K Form that all US entities are expected to submit following a cyber attack or infrastructure breach. According to the filing, none of the attacks or threats has resulted in any adverse impact on the company’s business or operations. That said, it did point out that the attacker got away with pieces of code related to some services within GoDaddy.
The incident is still under investigation with the company working with multiple law enforcement agencies and monitoring and blocking attempts from said “criminal organisation” to collect evidence and information regarding their tactics and techniques.
“We have evidence, and law enforcement has confirmed, that this incident was carried out by a sophisticated and organized group targeting hosting services like GoDaddy. As we continue to monitor their behavior and block attempts from this criminal organization, we are actively collecting evidence and information regarding their tactics and techniques to help law enforcement,” Godaddy said.