"Serial numbers for certificates that did not match the official records of DigiNotar were recovered on multiple CA servers, including the Qualified-CA server which was used to issue both accredited qualified and government certificates, indicating that these servers may have been used to issue additional and currently unknown rogue certificates," the company said.

Having access to a CA server wouldn't have been sufficient for the hacker to issue digital certificates, because this process required an operator to insert a smartcard in order to activate the corresponding private key, which was stored in a hardware security module.

"The unauthorized actions that might have taken place could not have included the issuing of rogue certificates if the corresponding private key had not been active during the intrusion period," Fox-IT said. "No records could be provided by DigiNotar regarding if and when smartcards were used to activate private keys, except that the smartcard for the Certificate Authorities managed on the CCV-CA server, which is used to issue certificates used for electronic payment in the retail business, had reportedly been in a vault for the entire intrusion period."

However, the company found evidence that Certificate Revocation Lists (CRL) -- lists of revoked digital certificates -- were automatically issued by some CA servers during the intrusion period. These lists need to be signed, which suggests that the private keys were active and the attacker had the opportunity to abuse them.

All information discovered during the investigation about the attacker, like the IP addresses he used -- some of them corresponding to proxy servers -- were handed over to the Dutch police. The evidence suggests that the hacker was located in Iran and a signature left in a text file points to him being the same attacker who compromised the Comodo certificate authority in March 2011.