EMEA, Breach, Content

Iranian Hackers Implicated in Global DNS Highjacking Campaign

Iranian hackers may be behind a surge of domain name system (DNS) hijacks that have targeted dozens of government, telecommunications and internet infrastructure domains in North America, Europe, the Middle East and North Africa.

Security provider FireEye said it has been tracking the activity for several months but thus far has been unable to link it to any previously known cyber attackers. Still, FireEye researchers Muks Hirani, Sarah Jones and Ben Read wrote in a blog post that their digging “suggests the actor or actors responsible have a nexus to Iran. This campaign has targeted victims across the globe on an almost unprecedented scale, with a high degree of success.”

What makes this assault different from other Iranian activity is the unprecedented scale of DNS records manipulations to compromise victims, FireEye said. Here are some of its findings:

  • Multiple clusters of this activity have been active from January 2017 to January 2019.
  • There are multiple, non-overlapping clusters of actor-controlled domains and IPs used in this activity.
  • A wide range of providers were chosen for encryption certificates and virtual private server (VPS) hosts.
  • Preliminary technical evidence allows us to assess with moderate confidence that this activity is conducted by persons based in Iran and that the activity aligns with Iranian government interests.

Such is the extent of the threat that the U.S. National Cybersecurity and Communications Integration Center (NCCIC), part of the Cybersecurity and Infrastructure Security Agency (CISA), issued a bulletin on the DNS hijacking campaign. “Using compromised credentials, an attacker can modify the location to which an organization’s domain name resources resolve,” the agency wrote. “This enables the attacker to redirect user traffic to attacker-controlled infrastructure and obtain valid encryption certificates for an organization’s domain names, enabling man-in-the-middle attacks.”

Alister Shepherd, the Dubai-based Middle East and Africa director for FireEye’s Mandiant unit suggested the DNS hijacks might be linked an Iranian spying effort, according to a Bloomberg report. “This gives attackers their initial foothold,” he said. “They are collecting information that provides both immediate espionage benefits and potentially, longer term, it gives a foothold that could be a precursor or pre-positioning for other types of attacks, be they disruptive or destructive.”

FireEye said it is working with victims, security organizations and law enforcement, perhaps an indication that a multi-resource effort worldwide might be necessary to apprehend the bad actors. Still, this kind of attack is a challenge to defend against because a hacker can get steal valuable data without breaking into a network, the security expert said.

Here are FireEye's recommendations:

  • Implement multi-factor authentication on your domain’s administration portal.
  • Validate A and NS record changes.
  • Search for SSL certificates related to your domain and revoke any malicious certificates.
  • Validate the source IPs in OWA/Exchange logs.
  • Conduct an internal investigation to assess if attackers gained access to your environment.

For its part, the NCCIC offered similar advice and best practices.

D. Howard Kass

D. Howard Kass is a contributing editor to MSSP Alert. He brings a career in journalism and market research to the role. He has served as CRN News Editor, Dataquest Channel Analyst, and West Coast Senior Contributing Editor at Channelnomics. As the CEO of The Viewpoint Group, he led groundbreaking market research.