The FireEye cyber security experts: A hacker group, probably with a nexus to Iran, is hijacking DNS in Middle East, North Africa, Europe and North America. The cyber espionage campaign is on an unprecedented scale and with a high degree of success
A hacker group, probably with a nexus to Iran, is hijacking DNS in Middle East, North Africa, Europe and North America. It has been detected by the FireEye cyber security experts. The cyber espionage campaign, that affected dozens of domains belonging to government, telecommunications and internet infrastructure entities, is on an almost unprecedented scale and with a high degree of success. It exploits traditional and innovative tactics, techniques and procedures (TTPs), compared to other Tehran’s cyber attacks. In particular the aggressors leverage DNS hijacking at scale for their initial foothold, which can then be exploited in a variety of ways, to enable victim compromises. One of these involves the creation of a Let’s Encrypt certificate and changing the A record, previously documented by Cisco’s TALOS team.
While the attribution of the cyber attacks is still ongoing, preliminary technical evidence allows to assess with moderate confidence that they are conducted by persons based in Iran and are aligned with Tehran’s interests
According to FireEye, the attribution analysis for this activity is ongoing. “While the DNS record manipulations are noteworthy and sophisticated, they may not be exclusive to a single threat actor as the activity spans disparate timeframes, infrastructure, and service providers. Multiple clusters of this activity have been active from January 2017 to January 2019,” the company’s blog reports. “There are multiple, nonoverlapping clusters of actor-controlled domains and IPs used in this activity. A wide range of providers were chosen for encryption certificates and VPS hosts. Preliminary technical evidence allows to assess with moderate confidence that this activity is conducted by persons based in Iran and that the activity aligns with Iran government interests”. The cyber security experts identified access from Iranian IPs to machines used to intercept, record and forward network traffic. While geolocation of an IP address is a weak indicator, these IPs were previously observed during the response to a cyber attack attributed to Iranian cyber espionage actors.