DHS issues security alert about recent DNS hijacking attacks

DHS lays out four-step action plan for investigating DNS hacks and securing DNS management accounts.

The US Department of Homeland Security (DHS) has published today an "emergency directive" that contains guidance in regards to a recent report detailing a wave of DNS hijacking incidents perpetrated out of Iran.

The emergency directive [1, 2] orders government agencies to audit DNS records for unauthorized edits, change passwords, and enable multi-factor authentication for all accounts through which DNS records can be managed.

The DHS documents also urges government IT personnel to monitor Certificate Transparency (CT) logs for newly-issued TLS certificates that have been issued for government domains, but which have not been requested by government workers (a sign that a malicious actor has hijacked a government domain's DNS records, and is now requesting TLS certificates in its).

The emergency directive comes after last week, the DHS issued an alert about ongoing DNS hijacking attacks through its US-CERT division.

The DHS US-CERT alert was based on a report published last week by US cyber-security firm FireEye. The now infamous report detailed a coordinated hacking campaign during which a cyber-espionage group believed to operate out of Iran had manipulated DNS records for the domains of private companies and government agencies.

The purpose of these DNS hijacks was to redirect web traffic meant for companies and agencies' internal email servers towards malicious clones, where the Iranian hackers would record login credentials.

According to Fireye, the supposed Iranian group changed DNS records for victim companies/agencies after hacking into web hosting or domain registrar accounts, where they modified the DNS records of official websites, pointing web traffic towards their malicious servers, and later redirecting the legitimate traffic to the victim's legitimate site after collecting login details.

According to a Cyberscoop report from earlier today, the DHS is currently aware of at least six civilian agency domains that have been impacted by DNS hijacking attacks. 

Now, DHS officials want to know the impact of this campaign on all US government agencies, and are giving agencies 10 business days (two weeks) to complete a four-step action plan detailed in the directive.

More security coverage: