DNS hijacking campaign traced back to Iran

• A recent DNS hijacking campaign which targeted organizations globally is believed to be by threat actors from Iran.
• DNS hijacking attacks affected commercial entities, government agencies, Internet infrastructure providers, and telecommunications providers across North America, North Africa, and the Middle East.

A recent DNS hijacking campaign has been successful in targeting organizations globally. The series of attacks affected commercial entities, government agencies, Internet infrastructure providers, and telecommunications providers across North America, North Africa, and the Middle East.

Researchers believe that a group operating out of Iran to be responsible for the DNS hijacking attacks. Researchers from FireEye have been tracking the DNS attacks for the last several months. They published a blog based on their analysis on January 9, 2019.

“We have so far not been able to attribute the attacks to any particular threat group. However, available evidence including IP addresses and the machines used to intercept, record, and forward network traffic suggests the attacker is based in Iran,” researchers said.

The Three Techniques

Researchers said that the attackers have manipulated DNS records with at least three different methods.

• In the first technique, the attackers modified the ‘DNS A’ records that are used for mapping domain names to IP addresses, so the traffic bound for one domain gets redirected via the domain controlled by the attackers.
• In the second technique, the attackers modified the ‘DNS NS’ records and pointed a victim organization's nameserver record to a domain controlled by attackers.
• The third technique uses a combination of the previous two techniques, to return legitimate IP addresses for users outside the targeted domains.

“FireEye intelligence customers have received previous reports describing sophisticated phishing attacks used by one actor that also conducts DNS record manipulation. Additionally, while the precise mechanism by which the DNS records were changed is unknown, we believe that at least some records were changed by compromising a victim’s domain registrar account,” FireEye explained in the blog.