A DNS hijacking campaign targeting organizations in various sectors around the world may be the work of the Iranian government, FireEye reported on Wednesday.
The attacks, which may have been carried out by one or more threat groups, have been aimed at government agencies, ISPs and other telecommunications providers, Internet infrastructure entities, and sensitive commercial organizations located across the Middle East, North Africa, North America and Europe.
Clusters of activity have been observed by FireEye’s incident response and intelligence teams between January 2017 and January 2019. The security firm believes with “moderate confidence” that Iran is behind the attacks based on technical evidence and the fact that the campaign aligns with the interests of the Iranian government.
Its researchers discovered that the IP addresses used to access the devices that intercepted victims’ network traffic were associated with Iran. Moreover, some of those IPs were previously used in other attacks attributed to Iranian cyberspies.
The activity has not been linked to any previously known group, but FireEye noted that the campaign is different from other Iran-linked operations due to the use of DNS hijacking at scale.
According to FireEye, the attackers leveraged DNS hijacking for the initial foothold into the targeted organization’s network.
The hackers used three different methods to manipulate DNS records and intercept the victims’ traffic. One method involves logging into a DNS provider’s administration interface using compromised credentials and changing DNS A records in an effort to intercept email traffic. Another method involves changing DNS NS records after hacking into the victim’s domain registrar account.
In both cases the attackers used Let’s Encrypt certificates to avoid raising suspicion. Due to the way the attacks were set up, the victim was unlikely to see any changes and may have only noticed slight delays. A successful attack resulted in usernames, passwords and domain credentials being harvested by the hackers.
A third DNS hijacking method observed by FireEye in these campaigns involved using a DNS redirector and previously altered A and NS records. In this case, users were redirected to attacker-controlled infrastructure.
FireEye says it’s still trying to determine the exact attack vector for the DNS record modifications, but believes multiple techniques, including phishing, may have been used.
“This DNS hijacking, and the scale at which it has been exploited, showcases the continuing evolution in tactics from Iran-based actors. This is an overview of one set of TTPs that we recently observed affecting multiple entities. We are highlighting it now so that potential targets can take appropriate defensive action,” FireEye explained.
Related: Linux.org Defaced via DNS Hijack