Worldwide DNS Hijacking Attacks Rooted to Iran
Since two years, regions such as North America, Europe, Middle East and North Africa started experiencing what security researchers call ‘DNS hijacking’. The nature of the attack is such that it is able to victimize people into delivering important credentials leading to major losses and various security threats.
The ongoing DNS hijacking attack has a proven record of success in harvesting important personal details such as usernames, passwords and even domain credentials. Recently researchers found a route, which directed that the attacks were structured and targeted by Iran.
A security company named Fire Eye has claimed that the attacks were mainly launched by the attacker on government, telecom and internet infrastructure firms. Moreover, they have explained that the attack was designed in way that it intercepted traffic from firms and used the traffic for harvesting important details of the user.
The researcher at the company indicated that the adversaries behind the attack were Iran based cyberspying groups. The group is still to pin the true identity of the attackers however they are sure on the fact that the attacks were being executed from Iran.
FireEye researchers Muks Hirani, Sarah Jones and Ben Read confirmed that “While we do not currently link this activity to any tracked group, initial research suggests the actor or actors responsible have a nexus to Iran.”
As per the published report, the attacks were observed in clusters from January 2017 to January 2019. The company further stated that “This campaign has targeted victims across the globe on an almost unprecedented scale”. Moreover, “A large number of organizations have been affected by this pattern of DNS record manipulation and fraudulent SSL certificates.”
As per Alister Shepherd, MEA Director of Mandiant at FireEye, the campaign is still running, affecting large-scale people and organizations. Though there is not an exact number, but it is certainly massive. As of now, researchers have identified three variants of the attack that have affected dozens of domain.
Technique
As per the analysis done by security researchers, the large-scale campaign used DNS hijacking, which is a malicious link. Using this technique the attackers present a malicious link in such a way that the user ends up redirecting queries to a domain name server, in process overriding computer’s transmission control protocol/internet protocol (TCP/IP) settings — generally by modifying a server’s settings.
As per the observation made by the researchers, though the campaign involves some traditional methods yet it is differentiated from other Iranian activities that have been observed in the past large scale DNS hijacking attacks. “The attacker uses this technique for their initial foothold, which can then be exploited in a variety of ways.”
Methodology
The three methods used by the attacker are:
a) Using previously-compromised credentials: In this method, the attacker logs into the DNS provider administration panel using previously-compromised credentials, likely scooped through phishing techniques, etc. Later, the attacker changes the DNS A records to intercept the traffic. Since the A Record is a type of DNS record that points to logical domain name to the IP address of that domain’s hosting server, an individual becomes a victim to harvesting credentials.
b) Log into the admin panel: In this method, the attackers use a similar method (previously-compromised credentials) to log into the admin panel and then hack victim’s domain registrar account and change DNS NS record. As NS records specify the servers providing DNS services for that domain name, it aids the attacker in diverting traffic to an attacker-controlled server.
c) Using operations box: By using this method, the attackers install a DNS redirector. It is an operations box which responds to DNS requests to redirect traffic to attacker-maintained infrastructure.
Though all three methods were different, Let’s Encrypt Certificate — a free, automated and open certificate authority — was used to establish a connection without any certificate error that helped attackers pass without being noticed, for making the desired change.
Motivation
As per the observation made by the security researchers, the attack has been executed by group or groups based in Iran to meet Iranian government objectives as the sites or domains that have been targeted till now include Middle Eastern governments, whose confidential information can be highly beneficial to Iranian government.
Moreover, the discovered Iranian IPs were being used to access machines that were then used to intercept and redirect the network traffic linking the attack directly to Iran.
It may be argued that the IP is weak evidence to rooting an attack, but these IP addresses were previously observed during the response to an intrusion attributed to Iranian cyber espionage actors, making the case stronger that the attacks were linked to Iran.
Evolution of Iran based Attacks
The recent attack identified by Fire Eye researchers “showcases the continuing evolution in tactics from Iran-based actors,” especially in context to infrastructure. Referring to the past attacks, Cisco Talos researchers in November gave a detailed explanation on the infrastructure used by them in then DNS hijacking attacks, targeting Lebanon and the United Arab Emirates, as well as a private Lebanese airline company.
In that explanation, it was mentioned that the attackers used the same IP to redirect the DNS of legitimate.gov and private company domains and Encrypt certificates for the redirected domains. Based on the attacker indicators provided in the November blog, we can confirm overlap with the limited campaign information as of now.
All the factors like technique, methodology, infrastructure, motivation make it clear that the attacks were launched by Iran based hackers to gain some vital information in interest of Iranian government.
