Iran Regime Hackers Hijacking DNS on Global Scale

By Staff Writer

Domain Name Servers (DNS) are the internet’s version of an address book. DNS servers allow us to use human-readable names to access websites, by translating those names to IP addresses that access the websites. The DNS server acts as the translator between the hostname and IP address.

In a report published Thursday, Cyber security giant, FireEye, said that a new series of DNS hijacking attacks have been identified that have “a nexus to Iran.” Security researchers say that the attacks successfully targeted organizations globally.

By hijacking Domain Name Servers hackers compromise the underlying technology that governs how the web functions to exploit weaknesses in site domain names. A DNS hijack allows hackers to insert themselves between a victim’s Internet site and any user of that site, and collect all information on the site. The information would give the attacker access to the user’s emails — and a route into the user’s own network.

Domains run by government, telecommunications, and internet infrastructure located in the Middle East, North Africa, Europe, and North America have been compromised, as DNS records were changed to direct users to domains where email credentials were stolen.

Cyber security giant, FireEye, first spotted activity in January 2017, and has now observed three attack methods:

1. Using compromised credentials to log-in to a DNS provider’s administration panel with the aim of changing DNS records.

2. Exploiting a previously compromised registrar or ccTLD to change DNS nameserver (NS) records.

3. A combination of the previous two, to return legitimate IP addresses for users outside the targeted domains.

According to FireEye, a “large number” of DNS/SSL cert firms had been affected by these attacks, including telcos, ISPs, infrastructure providers and governments.

“It is difficult to identify a single intrusion vector for each record change, and it is possible that the actor, or actors are using multiple techniques to gain an initial foothold into each of the targets described above,” they explained.

“FireEye intelligence customers have received previous reports describing sophisticated phishing attacks used by one actor that also conducts DNS record manipulation. Additionally, while the precise mechanism by which the DNS records were changed is unknown, we believe that at least some records were changed by compromising a victim’s domain registrar account.”

The type of organizations and users targeted by the cyber-espionage itself is still unclear, but FireEye claimed they include “Middle Eastern governments whose confidential information would be of interest to the Iranian regime and have relatively little financial value.”

The attackers used IP addresses that were previously associated with Iranian regime’s raids, so FireEye felt confident in attributing the campaign to Tehran.

Back to top button