Security Experts:

Connect with us

Hi, what are you looking for?



Iran-Linked DNS Hijacking Attacks Target Organizations Worldwide

A DNS hijacking campaign targeting organizations in various sectors around the world may be the work of the Iranian government, FireEye reported on Wednesday.

A DNS hijacking campaign targeting organizations in various sectors around the world may be the work of the Iranian government, FireEye reported on Wednesday.

The attacks, which may have been carried out by one or more threat groups, have been aimed at government agencies, ISPs and other telecommunications providers, Internet infrastructure entities, and sensitive commercial organizations located across the Middle East, North Africa, North America and Europe.

Clusters of activity have been observed by FireEye’s incident response and intelligence teams between January 2017 and January 2019. The security firm believes with “moderate confidence” that Iran is behind the attacks based on technical evidence and the fact that the campaign aligns with the interests of the Iranian government.

Its researchers discovered that the IP addresses used to access the devices that intercepted victims’ network traffic were associated with Iran. Moreover, some of those IPs were previously used in other attacks attributed to Iranian cyberspies.

The activity has not been linked to any previously known group, but FireEye noted that the campaign is different from other Iran-linked operations due to the use of DNS hijacking at scale.

According to FireEye, the attackers leveraged DNS hijacking for the initial foothold into the targeted organization’s network.

The hackers used three different methods to manipulate DNS records and intercept the victims’ traffic. One method involves logging into a DNS provider’s administration interface using compromised credentials and changing DNS A records in an effort to intercept email traffic. Another method involves changing DNS NS records after hacking into the victim’s domain registrar account.

In both cases the attackers used Let’s Encrypt certificates to avoid raising suspicion. Due to the way the attacks were set up, the victim was unlikely to see any changes and may have only noticed slight delays. A successful attack resulted in usernames, passwords and domain credentials being harvested by the hackers.

A third DNS hijacking method observed by FireEye in these campaigns involved using a DNS redirector and previously altered A and NS records. In this case, users were redirected to attacker-controlled infrastructure.

FireEye says it’s still trying to determine the exact attack vector for the DNS record modifications, but believes multiple techniques, including phishing, may have been used.

“This DNS hijacking, and the scale at which it has been exploited, showcases the continuing evolution in tactics from Iran-based actors. This is an overview of one set of TTPs that we recently observed affecting multiple entities. We are highlighting it now so that potential targets can take appropriate defensive action,” FireEye explained.

Related: ‘MaMi’ Mac Malware Hijacks DNS Settings

Related: Defaced via DNS Hijack

Related: BGP Hijacking Attacks Target US Payment Processors

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Expert Insights

Related Content


Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.


The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.


Websites of German airports, administration bodies and banks were hit by DDoS attacks attributed to Russian hacker group Killnet


The FBI dismantled the network of the prolific Hive ransomware gang and seized infrastructure in Los Angeles that was used for the operation.

Malware & Threats

Microsoft plans to improve the protection of Office users by blocking XLL add-ins from the internet.


A new study by McAfee and the Center for Strategic and International Studies (CSIS) named a staggering figure as the true annual cost of...

Email Security

Microsoft is urging customers to install the latest Exchange Server updates and harden their environments to prevent malicious attacks.


Iranian APT Moses Staff is leaking data stolen from Saudi Arabia government ministries under the recently created Abraham's Ax persona