Iranian hackers suspected in worldwide DNS hijacking campaign

Mysterious group hijacks DNS records to reshape and hijack a company's internal traffic to steal login credentials.

US cybersecurity firm FireEye has uncovered an extremely sophisticated hacking campaign during which a suspected Iranian group redirected traffic from companies all over their globe through their own malicious servers, recording company credentials for future attacks.

Affected organizations include telecoms, ISPs, internet infrastructure providers, government, and sensitive commercial entities across the Middle East, North Africa, Europe, and North America.

FireEye analysts believe an Iranian-based group is behind the attacks, although there is no definitive proof for exact attribution just yet.

Researchers said the entities targeted by the group have no financial value, but they would be of interest to the Iranian government.

Analysts also said they found that some of the victims' infrastructure were accessed during these attacks by Iranian IP addresses that have been previously observed while FireEye responded to other attacks --which were attributed to Iranian cyber-espionage actor in the past.

In a technical report released today, FireEye provides an insight into these attacks, which have been happening since at least January 2017.

The FireEye analysts behind this report described the scope and impact of this campaign on Twitter as "huge."

Attackers didn't just spear-phish victims to collect email credentials, like most cyber-espionage groups tend to do, but instead modified DNS records for company IT resources to reshape internet traffic inside organizations and hijack the parts they wanted.

FireEye says it identified three different techniques used for these attacks, each just as complex as the next:

Technique 1: Attackers change DNS records for victim's mail server to redirect it to their own email server. Attackers also use Let's Encrypt certificates to support HTTPS traffic, and a load balancer to redirect victims back to the real email server after they've collected login credentials from victims on their shadow server.

iran-dns-hijacking-1.png

Image: FireEye

Technique 2: Same as the first, but the difference is where the company's legitimate DNS records are being modified. In the first technique, attackers changed DNS A records via an account at a managed DNS provider, while in this technique attackers changed DNS NS records via a TLD (domain name) provider account.

iran-dns-hijacking-2.png

Image: FireEye

Technique 3: Sometimes also deployed as part of the first two techniques. This relies on deploying an "attacker operations box" that responds to DNS requests for the hijacked DNS record. If the DNS request (for a company's mail server) comes from inside the company, the user is redirected to the malicious server operated by attackers, but if the request comes from outside the company, the request is directed to the real email server.

iran-dns-hijacking-3.png

Image: FireEye

All these attacks rely on the attackers' ability to change a company's DNS records, which very few people inside a company can do.

This often requires access to accounts at domain registrars, companies that provide managed DNS services, or on internal DNS servers, a company might be running.

"While the precise mechanism by which the DNS records were changed is unknown, we believe that at least some records were changed by compromising a victim's domain registrar account," FireEye said, clarifying that its investigation into this global hacking campaign is still very much ongoing.

The US cyber-security firm also pointed out that this type of attack is very hard to defend against because attackers are not accessing a company's internal network in most cases, and aren't likely to trigger alarms with local security software.

The first steps to fight against this attacks, as FireEye recommends, is to enable two-factor authentication for DNS and TLD management accounts, and then set up alerts for any changes to DNS A or NS records changes.

More cybersecurity news: