Iran implicated in DNS hijacking campaign around the world

FireEye researchers investigating a DNS hijacking campaign against governments and telecom companies said those who are potential targets of Iran should take precautions.

Security researchers have identified a global DNS hijacking campaign, which they say is likely the work of Iranian hackers.

According to researchers from FireEye's Mandiant Incident Response and Intelligence team, the DNS hijacking campaign targeted entities for the past two years across the Middle East and North Africa, Europe and North America "on an almost unprecedented scale, with a high degree of success."

FireEye said the DNS hijacking campaign manipulated DNS records -- some evidence of which Cisco Talos had observed previously -- and used DNS redirectors to attack "telecoms and ISP providers, internet infrastructure providers, government and sensitive commercial entities." Based on the entities targeted and the IP addresses of the attackers, FireEye wrote in a blog post it could "assess with moderate confidence that this activity is conducted by persons based in Iran and that the activity aligns with Iranian government interests."

Kris Beevers, co-founder and CEO of NS1, a managed DNS service provider, said the campaign counted on "victims not using the most basic, best security practices."

"The global DNS hijacking attack reported by FireEye is noteworthy for many reasons, one of which is that they are very simple attacks," Beevers said. "The bad actors in these attacks take over logins to the DNS providers and registrants and manipulate DNS records. Cybercriminals can perform these and other DNS-focused attacks easily and at a low cost."

Iran attribution

Ben Read, senior manager of cyber espionage analysis at FireEye, told SearchSecurity that FireEye could only claim "moderate confidence" in attributing the DNS hijacking campaign to Iran because IP address location is a "relatively weak indicator." Read said it can be misleading, but the evidence gets stronger when you "add that to the victims that were targeted, which were almost all governments and telecoms."

"That helps to exclude the cybercrime angle because although there are cybercriminals who operate from Iran -- you saw that with the SamSam ransomware a couple months ago -- it points to motivation," Read said. "If you're going to do this technique, compromising governments isn't a good way to make money with it. The governments targeted were in the Middle East and would be of interest to Iran. They are places perceived to be adversaries or places where Iran would focus its foreign policy."

Peter Tran, vice president and head of global cyber defense and security strategy at Worldpay Inc., based in London, said the evidence shouldn't be taken as "an open and shut case to a single nation-state" and said a combination of human intelligence, open source intelligence and technical analysis is necessary "to raise the confidence level for reliable attribution."

"Credibility is king when it comes to attribution analysis and researchers need to be careful about 'leap of faith' analysis based on low to moderate confidence and limited sources and/or hard data," Tran said. "Far too often analysts become myopic and want to believe and the end result is no better than clickbait intelligence based on historical observations with underqualified broad assumptions."

Read admitted that FireEye does not employ human intelligence practices at all for its assessments, and that there are other countries that might have the same interests and could be pretending to be Iran. FireEye thinks that's less likely, Read said, but that possibility dropped the confidence in the Iran attribution.

"It doesn't make good headlines, but we're writing this for organizations trying to protect against these things. If you're a country or a government or an organizations that's previously been targeted by an Iranian group, you should be more worried about this than somebody in Southeast Asia whose primary threat might be a Chinese group." Read said. "The reason we do attribution is to help our clients and the general public to be able to prioritize these threats. It would be great if we all had enough money to defend against every threat robustly, but people don't so you have to choose what you prioritize."

Read said the major takeaway he wanted organizations to consider was ensuring that information is being protected, not just a network.

"Your information may be being accessed when it's outside your network, which is not something that's at the forefront of people's minds in terms of defending your information," Read said. "In terms of the practical remediation, double checking that control of your DNS records has two-factor authentication. Anything that has access to something as fundamental as where your company exists on the internet -- which is what DNS essentially says -- should have that scrutiny."

Beevers suggested that organizations should enable DNSSEC and sign zones in addition to enabling multifactor authentication on DNS and registrar logins and monitoring DNS activity logs.

"DNSSEC operates by offering a mechanism for recursive DNS resolvers to check the authenticity of the information received from the previous authoritative DNS server in the series of lookups required to return a DNS answer to a user," Beevers said.

Dig Deeper on Threats and vulnerabilities

Enterprise Desktop
Cloud Computing