Iran hackers hijack DNS to spy targets in Middle East, Africa, Europe and North America

Group123 Adobe Fireye Dnshijacking Europe Middleeast Africa Northamerica Flashplayer Hacker Rakrat Pyongyang Kimjongun Hackerdistato Phishing Cyber Cybewrwarfare Cyberwar Cyberattacchi Campagnecyber Sicurezzainformatica Coreadelsud Seul Hiddencobra Punycode Malware Hacker Omografia Sicurezzainformatica Ibm Fallchill Volgmer Coreadelnord Pyongyang Kimjongun Cyberattacchi Cyber Cyberwarfare Cyberwar Sicurezzainformatica FormBook FireEye Malware Usa Coreadelsud Aziende APT33 Iran Teheran Spearphishing Backdoor Ddos Usa NIAC Arabiasaudita Coreadelsud 11settembre Terrorismo Isis AlQaeda UK Cyber39 Level39 Cyber Aziende Filippine NBI Corruzione Dipartimento Giustizia National Cybersecurity Plan Petya Cybercrime Interpol Kaspersky Malware ASEAN MalwareBytes Ransomware WannaCry Ransomworm Hacker Dallas  Cyber Security Cyber Espionage–iran Singapore Australia UK Server Cyberwarfare Social Media Teheran Cyber

The FireEye cyber security experts: A hacker group, probably with a nexus to Iran, is hijacking DNS in Middle East, North Africa, Europe and North America. The cyber espionage campaign is on an unprecedented scale and with a high degree of success

 A hacker group, probably with a nexus to Iran, is hijacking DNS in Middle East, North Africa, Europe and North America. It has been detected by the FireEye cyber security experts. The cyber espionage campaign, that affected dozens of domains belonging to government, telecommunications and internet infrastructure entities, is on an almost unprecedented scale and with a high degree of success. It exploits traditional and innovative tactics, techniques and procedures (TTPs), compared to other Tehran’s cyber attacks. In particular the aggressors leverage DNS hijacking at scale for their initial foothold, which can then be exploited in a variety of ways, to enable victim compromises. One of these involves the creation of a Let’s Encrypt certificate and changing the A record, previously documented by Cisco’s TALOS team.

While the attribution of the cyber attacks is still ongoing, preliminary technical evidence allows to assess with moderate confidence that they are conducted by persons based in Iran and are aligned with Tehran’s interests

According to FireEye, the attribution analysis for this activity is ongoing. “While the DNS record manipulations are noteworthy and sophisticated, they may not be exclusive to a single threat actor as the activity spans disparate timeframes, infrastructure, and service providers. Multiple clusters of this activity have been active from January 2017 to January 2019,” the company’s blog reports. “There are multiple, nonoverlapping clusters of actor-controlled domains and IPs used in this activity. A wide range of providers were chosen for encryption certificates and VPS hosts. Preliminary technical evidence allows to assess with moderate confidence that this activity is conducted by persons based in Iran and that the activity aligns with Iran government interests”. The cyber security experts identified access from Iranian IPs to machines used to intercept, record and forward network traffic. While geolocation of an IP address is a weak indicator, these IPs were previously observed during the response to a cyber attack attributed to Iranian cyber espionage actors.