Alleged Iran-linked APT groups behind global DNS Hijacking campaign

Pierluigi Paganini January 10, 2019

Security expert uncovered a DNS hijacking campaign targeting organizations in various industries worldwide and suspects Iranian APT groups.

Security experts at FireEye uncovered a DNS hijacking campaign that is targeting government agencies, ISPs and other telecommunications providers, Internet infrastructure entities, and sensitive commercial organizations in the Middle East, North Africa, North America and Europe. According to the experts, the campaign is carried out, with “moderate confidence,” by APT groups linked to the Iranian Government.

“FireEye’s Mandiant Incident Response and Intelligence teams have identified a wave of DNS hijacking that has affected dozens of domains belonging to government, telecommunications and internet infrastructure entities across the Middle East and North Africa, Europe and North America.” reads the report published by FireEye.

“While we do not currently link this activity to any tracked group, initial research suggests the actor or actors responsible have a nexus to Iran. “

Experts monitored the activities of threat actors between January 2017 and January 2019.

Working with victims, the security firm collected evidence that links the campaign to Iran, tactics, techniques and procedures (TTPs) and interest are aligned with Iranian APT groups. We have also worked closely with victims, security organizations, and law enforcement agencies where possible to reduce the impact of the attacks and/or prevent further compromises.

FireEye researchers tracked access from Iranian IPs to machines used to intercept, record and forward network traffic. The same IPs were previously associated with cyber attacks conducted by Iranian cyberspies.

The attackers are not financially motivated and targeted several Middle Eastern governments whose data would be of interest to Iran.

It is interesting to note that FireEye confirmed that this campaign is different from other operations carried out by Iranian APT groups due to the use of DNS hijacking at scale.

“While this campaign employs some traditional tactics, it is differentiated from other Iranian activity we have seen by leveraging DNS hijacking at scale.” continues the analysis published by FireEye.

“The attacker uses this technique for their initial foothold, which can then be exploited in a variety of ways. “

Attackers used three different ways to manipulate DNS records to enable victim compromises.

The first technique sees attackers attempt logging into a DNS provider’s administration interface using compromised credentials and changing DNS A records to intercept email traffic.

DNS hijacking 1

The second technique sees attackers attempt changing DNS NS records after hacking into the victim’s domain registrar account.

DNS hijacking 2

In both cases, the attackers leverage Let’s Encrypt certificates to avoid raising suspicion and establish a connection without any certificate errors.

“The Let’s Encrypt Certificate allows the browsers to establish a connection without any certificate errors as Let’s Encrypt Authority X3 is trusted.” continue the researchers.

With these techniques, attackers are able to harvest usernames, passwords and domain credentials.

The third attack technique involved a DNS redirector and previously altered A and NS records to redirect victim’s traffic to infrastructure controlled by the attackers.

DNS hijacking 3

FireEye says it’s still trying to determine the exact attack vector for the DNS record modifications, but believes multiple techniques, including phishing, may have been used.

At the time it is quite impossible to exactly identify a single intrusion vector for each record change, experts believe attackers employed multiple techniques to gain an initial foothold into victims’ infrastructure.

“Additionally, while the precise mechanism by which the DNS records were changed is unknown, we believe that at least some records were changed by compromising a victim’s domain registrar account.” concludes FireEye.

“This DNS hijacking, and the scale at which it has been exploited, showcases the continuing evolution in tactics from Iran-based actors. This is an overview of one set of TTPs that we recently observed affecting multiple entities. We are highlighting it now so that potential targets can take appropriate defensive action,” 

[adrotate banner=”9″] [adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – Iran, DNS hijacking)

[adrotate banner=”5″] [adrotate banner=”13″]

you might also like

leave a comment