Now on Demand: Zero Trust Strategies Summit - Access All Sessions
Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cybercrime

Iran-Linked DNS Hijacking Attacks Target Organizations Worldwide

A DNS hijacking campaign targeting organizations in various sectors around the world may be the work of the Iranian government, FireEye reported on Wednesday.

A DNS hijacking campaign targeting organizations in various sectors around the world may be the work of the Iranian government, FireEye reported on Wednesday.

The attacks, which may have been carried out by one or more threat groups, have been aimed at government agencies, ISPs and other telecommunications providers, Internet infrastructure entities, and sensitive commercial organizations located across the Middle East, North Africa, North America and Europe.

Clusters of activity have been observed by FireEye’s incident response and intelligence teams between January 2017 and January 2019. The security firm believes with “moderate confidence” that Iran is behind the attacks based on technical evidence and the fact that the campaign aligns with the interests of the Iranian government.

Its researchers discovered that the IP addresses used to access the devices that intercepted victims’ network traffic were associated with Iran. Moreover, some of those IPs were previously used in other attacks attributed to Iranian cyberspies.

The activity has not been linked to any previously known group, but FireEye noted that the campaign is different from other Iran-linked operations due to the use of DNS hijacking at scale.

According to FireEye, the attackers leveraged DNS hijacking for the initial foothold into the targeted organization’s network.

The hackers used three different methods to manipulate DNS records and intercept the victims’ traffic. One method involves logging into a DNS provider’s administration interface using compromised credentials and changing DNS A records in an effort to intercept email traffic. Another method involves changing DNS NS records after hacking into the victim’s domain registrar account.

In both cases the attackers used Let’s Encrypt certificates to avoid raising suspicion. Due to the way the attacks were set up, the victim was unlikely to see any changes and may have only noticed slight delays. A successful attack resulted in usernames, passwords and domain credentials being harvested by the hackers.

Advertisement. Scroll to continue reading.

A third DNS hijacking method observed by FireEye in these campaigns involved using a DNS redirector and previously altered A and NS records. In this case, users were redirected to attacker-controlled infrastructure.

FireEye says it’s still trying to determine the exact attack vector for the DNS record modifications, but believes multiple techniques, including phishing, may have been used.

“This DNS hijacking, and the scale at which it has been exploited, showcases the continuing evolution in tactics from Iran-based actors. This is an overview of one set of TTPs that we recently observed affecting multiple entities. We are highlighting it now so that potential targets can take appropriate defensive action,” FireEye explained.

Related: ‘MaMi’ Mac Malware Hijacks DNS Settings

Related: Linux.org Defaced via DNS Hijack

Related: BGP Hijacking Attacks Target US Payment Processors

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join SecurityWeek and Hitachi Vantara for this this webinar to gain valuable insights and actionable steps to enhance your organization's data security and resilience.

Register

Event: ICS Cybersecurity Conference

The leading industrial cybersecurity conference for Operations, Control Systems and IT/OT Security professionals to connect on SCADA, DCS PLC and field controller cybersecurity.

Register

People on the Move

Former Darktrace CEO Poppy Gustafsson has joined the UK government as Minister for Investment.

Nupur Goyal has joined cloud identity security and management solutions provider Saviynt as VP of Product Marketing.

Threat intelligence firm Intel 471 has appointed Mark Huebeler as its COO and CFO.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.