From analysis of Trend Micro Smart Protection Network data, the company found that a significant part of Internet users who loaded the SSL certificate verification URL of DigiNotar were from Iran on Aug. 28, but by Aug. 30 most traffic from Iran disappeared, and on Sept. 2 about all of the Iranian traffic was gone.
It became public in the evening of Aug. 29 that a rogue *.google.com certificate was presented to a number of Internet users in Iran, according to the Fox-IT report. The false certificate had been issued by DigiNotar and was revoked that same evening.
The security firm was contacted the next day and asked to investigate the breach and report its findings before the end of the week.
Fox-IT's report indicates that the initial compromise at DigiNotar may have occurred on June 17. DigiNotar noticed the incident on June 19 in its daily audit procedure but doesn't appear to have done anything about it. The company could not be immediately reached for comment.
The first rogue certificate *.google.com, was issued on July 10. All the other rogue certificates were issued between July 10 and July 20.
The hack implies that the current network setup and procedures at DigiNotar are not sufficiently secure to prevent this kind of attack, Fox-IT said. The most critical servers, for example, contain malicious software that can normally be detected by antivirus software. The separation of critical components was not functioning or was not in place, it added.