"Specialized tools were recovered on systems in these segments, which were used to create tunnels that allowed the intruder to make an Internet connection to DigiNotar's systems that were not directly connected to the Internet," Fox-IT said. "The intruder was able to tunnel Remote Desktop Protocol connections in this way, which provided a graphical user interface on the compromised systems, including the compromised CA servers."
DigiNotar operated multiple subordinate certificate authorities (sub CAs) and used them to issue digital certificates for different purposes, including certificates for the Dutch government's IT operations.
Fox-IT reiterated the conclusion expressed in its interim report released in September 2011: that all of DigiNotar's CA servers had been compromised. This was the result of the fact that all servers were on the same Windows domain and the attacker managed to obtain the domain administrator credentials, possibly through "brute force" methods because the password was not very strong, the company said in the interim report.
"The investigation by Fox-IT showed that all eight servers that managed Certificate Authorities had been compromised by the intruder," Fox-IT said in its final report released Monday. "The log files were generally stored on the same servers that had been compromised and evidence was found that they had been tampered with."
Because some of the logs had been deleted the company couldn't determine which of the compromised CA servers were actually used to issue rogue certificates. However, some evidence suggests that more rogue certificates than previously believed were issued by the hacker.
"Serial numbers for certificates that did not match the official records of DigiNotar were recovered on multiple CA servers, including the Qualified-CA server which was used to issue both accredited qualified and government certificates, indicating that these servers may have been used to issue additional and currently unknown rogue certificates," the company said.
Having access to a CA server wouldn't have been sufficient for the hacker to issue digital certificates, because this process required an operator to insert a smartcard in order to activate the corresponding private key, which was stored in a hardware security module.
"The unauthorized actions that might have taken place could not have included the issuing of rogue certificates if the corresponding private key had not been active during the intrusion period," Fox-IT said. "No records could be provided by DigiNotar regarding if and when smartcards were used to activate private keys, except that the smartcard for the Certificate Authorities managed on the CCV-CA server, which is used to issue certificates used for electronic payment in the retail business, had reportedly been in a vault for the entire intrusion period."