Security Experts:

Connect with us

Hi, what are you looking for?



Iran-Linked DNS Hijacking Attacks Target Organizations Worldwide

A DNS hijacking campaign targeting organizations in various sectors around the world may be the work of the Iranian government, FireEye reported on Wednesday.

A DNS hijacking campaign targeting organizations in various sectors around the world may be the work of the Iranian government, FireEye reported on Wednesday.

The attacks, which may have been carried out by one or more threat groups, have been aimed at government agencies, ISPs and other telecommunications providers, Internet infrastructure entities, and sensitive commercial organizations located across the Middle East, North Africa, North America and Europe.

Clusters of activity have been observed by FireEye’s incident response and intelligence teams between January 2017 and January 2019. The security firm believes with “moderate confidence” that Iran is behind the attacks based on technical evidence and the fact that the campaign aligns with the interests of the Iranian government.

Its researchers discovered that the IP addresses used to access the devices that intercepted victims’ network traffic were associated with Iran. Moreover, some of those IPs were previously used in other attacks attributed to Iranian cyberspies.

The activity has not been linked to any previously known group, but FireEye noted that the campaign is different from other Iran-linked operations due to the use of DNS hijacking at scale.

According to FireEye, the attackers leveraged DNS hijacking for the initial foothold into the targeted organization’s network.

The hackers used three different methods to manipulate DNS records and intercept the victims’ traffic. One method involves logging into a DNS provider’s administration interface using compromised credentials and changing DNS A records in an effort to intercept email traffic. Another method involves changing DNS NS records after hacking into the victim’s domain registrar account.

In both cases the attackers used Let’s Encrypt certificates to avoid raising suspicion. Due to the way the attacks were set up, the victim was unlikely to see any changes and may have only noticed slight delays. A successful attack resulted in usernames, passwords and domain credentials being harvested by the hackers.

A third DNS hijacking method observed by FireEye in these campaigns involved using a DNS redirector and previously altered A and NS records. In this case, users were redirected to attacker-controlled infrastructure.

FireEye says it’s still trying to determine the exact attack vector for the DNS record modifications, but believes multiple techniques, including phishing, may have been used.

“This DNS hijacking, and the scale at which it has been exploited, showcases the continuing evolution in tactics from Iran-based actors. This is an overview of one set of TTPs that we recently observed affecting multiple entities. We are highlighting it now so that potential targets can take appropriate defensive action,” FireEye explained.

Related: ‘MaMi’ Mac Malware Hijacks DNS Settings

Related: Defaced via DNS Hijack

Related: BGP Hijacking Attacks Target US Payment Processors

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content


Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.


Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.


The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


WASHINGTON - Cyberattacks are the most serious threat facing the United States, even more so than terrorism, according to American defense experts. Almost half...

Application Security

PayPal is alerting roughly 35,000 individuals that their accounts have been targeted in a credential stuffing campaign.


No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.

Cloud Security

Microsoft and Proofpoint are warning organizations that use cloud services about a recent consent phishing attack that abused Microsoft’s ‘verified publisher’ status.