The notice was issued by the DHS and links the emergency directive
Emergency Directive 19-01 titled “Mitigate DNS Infrastructure Tampering.”
“In coordination with government and industry partners, the Department of Homeland Security (DHS) Cybersecurity and Infrastructure Security Agency (CISA) is
“To address the significant and imminent risks to agency information and information systems presented
Using the following techniques, attackers have redirected and intercepted web and mail traffic, and could do so for other networked services.
The emergency directive requests federal agencies to check public DNS records for all .gov and other domains they manage to ensure that they have not been tampered with. The check must be completed in 10 days and includes Address (A), Mail Exchanger (MX), and Name Server (NS) records.
Within 10 business days, agencies will have to change the passwords for their DNS account and enable multifactor authentication where available, but CISA warns risks for SMS-based MFA.
DHS also instructed federal agencies to monitor Certificate Transparency logs for any abuse related to fraudulently issued certificates.
The overall process and signs of progress will be monitored by the DHS, the agencies must submit a status report by January 25 and a final report for all the
“Beginning February 6, 2019, the CISA Director will engage Chief Information Officers (CIO) and/or Senior Agency Officials for Risk Management (
“By February 8, 2019, CISA will provide a report to the Secretary of Homeland Security and the Director of the Office of Management and Budget (OMB) identifying agency status and outstanding issues.”
The emergency directive is probably related to a recently disclosed campaign of DNS hijacking attacks uncovered by FireEye.
The DNS hijacking campaign targeted government agencies, ISPs and other telecommunications providers, Internet infrastructure entities, and sensitive commercial organizations in the Middle East, North Africa, North America
FireEye researchers tracked access from Iranian IPs to machines used to intercept, record and forward network traffic. The same IPs were previously associated with cyber attacks conducted by Iranian cyberspies.
The attackers are not financially motivated and targeted several Middle Eastern governments whose data would be of interest to Iran.
It is interesting to note that FireEye confirmed that this campaign is different from other operations carried out by Iranian APT groups due to the use of DNS hijacking at scale. Attackers used three different ways to manipulate DNS records to enable victim compromises.
After the FireEye’s report, the US-CERT published an alert on January 10 to warn organizations of DNS hijacking campaigns.
(SecurityAffairs – DHS, DNS hijacking attacks)