Security experts at FireEye uncovered a DNS hijacking campaign that is targeting government agencies, ISPs
“FireEye’s Mandiant Incident Response and Intelligence teams have identified a wave of DNS hijacking that has affected dozens of domains belonging to government, telecommunications
“While we do not currently link this activity to any tracked group, initial research suggests the actor or actors responsible have a nexus to Iran. “
Experts monitored the activities of threat actors between January 2017 and January 2019.
Working with victims, the security firm collected evidence that links the campaign to Iran, tactics, techniques
FireEye researchers tracked access from Iranian IPs to machines used to intercept, record and forward network traffic. The same IPs were previously associated with cyber attacks conducted by Iranian cyberspies.
The attackers are not financially motivated and targeted several Middle Eastern governments whose data would be of interest to Iran.
It is interesting to note that FireEye confirmed that this campaign is different from other operations carried out by Iranian APT groups due to the use of DNS hijacking at scale.
“While this campaign employs some traditional tactics, it is differentiated from other Iranian activity we have seen by leveraging DNS hijacking at scale.” continues the analysis published by FireEye.
“The attacker uses this technique for their initial foothold, which can then be exploited in a variety of ways. “
Attackers used three different ways to manipulate DNS records to enable victim compromises.
The first technique sees attackers attempt logging into a DNS provider’s administration interface using compromised credentials and changing DNS A records to intercept email traffic.
The second technique sees attackers attempt changing DNS NS records after hacking into the victim’s domain registrar account.
In both cases, the
“The Let’s Encrypt Certificate allows the browsers to establish a connection without any certificate errors as Let’s Encrypt Authority X3 is trusted.” continue the researchers.
With these techniques, attackers are able to harvest
The third attack technique involved a DNS redirector and previously altered A and NS records to redirect victim’s traffic to infrastructure controlled by the attackers.
FireEye says it’s still trying to determine the exact attack vector for the DNS record modifications, but believes multiple techniques, including phishing, may have been used.
At the time it is quite impossible to exactly identify a single intrusion vector for each record change, experts believe attackers employed multiple techniques to gain an initial foothold into victims’ infrastructure.
“Additionally, while the precise mechanism by which the DNS records were changed is unknown, we believe that at least some records were changed by compromising a victim’s domain registrar account.” concludes FireEye.
“This DNS hijacking, and the scale at which it has been
(SecurityAffairs – Iran, DNS hijacking)