GoDaddy, a web hosting behemoth, said the company suffered from a multi-year breach with attackers installing malware on its servers.
Unknown attackers accessed GoDaddy’s servers via cPanel shared hosting environment and installed malware, in an attack spanning several years.
According to the company, the breach was discovered in December 2022, after investigating customer complaints about their sites used to redirect to random domains. The company found that at least three security events from 2020 to 2022 can be attributed to the same attacker.
“Based on our investigation, we believe these incidents are part of a multi-year campaign by a sophisticated threat actor group that, among other things, installed malware on our systems and obtained pieces of code related to some services within GoDaddy,” the company said in a filing to the Securities and Exchange Commission (SEC).
GoDaddy claims that the same attackers carried out the 2021 breach when email addresses of up to 1.2 million Managed WordPress customers of the company had been accessed by an unauthorized third party.
The same unidentified group is also suspected of being behind the 2020 attack when threat actors compromised the hosting login credentials of around 28,000 hosting customers and several of GoDaddy’s staff.
The most recent attack saw threat actors installing malware intermittently redirecting users to seemingly random websites. GoDaddy claims that the company fixed the issue and implemented security measures to prevent future attacks.
“We have evidence, and law enforcement has confirmed, that this incident was carried out by a sophisticated and organized group targeting hosting services like GoDaddy,” the company said in a statement.
GoDaddy believes that threat actors target hosting services to infect websites and servers with malware that can be later used in phishing campaigns, for malware distribution, or other malicious activities.
Last April, the Cybernews research team discovered hundreds of compromised WordPress sites had been running malicious phishing adverts. GoDaddy was hit the worst, with 42 infected websites.
The most badly affected country was the US, which had 201 websites compromised, followed by France (62 websites), Germany (51), and the UK (34).
GoDaddy is a US-based web hosting and domain registrar company. According to its latest SEC filing, the company has around 1.5 million paying customers and generates over $4 billion in revenue.