A recent DNS hijacking campaign has been successful in targeting organizations globally. The series of attacks affected commercial entities, government agencies, Internet infrastructure providers, and telecommunications providers across North America, North Africa, and the Middle East.
Researchers believe that a group operating out of Iran to be responsible for the DNS hijacking attacks. Researchers from FireEye have been tracking the DNS attacks for the last several months. They published a blog based on their analysis on January 9, 2019.
“We have so far not been able to attribute the attacks to any particular threat group. However, available evidence including IP addresses and the machines used to intercept, record, and forward network traffic suggests the attacker is based in Iran,” researchers said.
The Three Techniques
Researchers said that the attackers have manipulated DNS records with at least three different methods.
“FireEye intelligence customers have received previous reports describing sophisticated phishing attacks used by one actor that also conducts DNS record manipulation. Additionally, while the precise mechanism by which the DNS records were changed is unknown, we believe that at least some records were changed by compromising a victim’s domain registrar account,” FireEye explained in the blog.
Publisher