An unknown actor with “a nexus to Iran” is hijacking aspects of the internet’s infrastructure to target the traffic of government and telecommunications organizations around the world, according to research published by FireEye on Wednesday.
Researchers say the perpetrator is using sophisticated methods to manipulate domain name server (DNS) records, diverting the targets’ traffic through malicious servers. DNS is a behind-the-scenes system that links domain names to the actual IP addresses where the user’s intended web destination lies.
The identity of the attacker remains unclear. Researchers said they’ve observed the campaign in “multiple clusters” between January 2017 and January 2019.
Researchers observed at least three different techniques to hijack targets’ traffic. The methods involve using compromised credentials for the target’s DNS administration panels or domain registrar accounts in order to change DNS records, forcing the victim’s system to pass through malicious IP addresses.
FireEye says the attackers also use legitimate-looking certificates on their servers to avoid detection.
The Department of Homeland Security issued an alert about the campaign on Thursday, referencing FireEye’s research. The alert said the National Cybersecurity and Communications Integration (NCCIC) is aware of the attacks and urged network administrators to take precautions like using two-factor authentication, verifying their DNS systems are pointing to the right IP addresses and revoking malicious certificates.
FireEye researchers still aren’t sure how the attackers have managed to get to the point where they can easily divert traffic. The report suggests they’ve used different vectors to first gain a presence on the victims’ DNS systems. Methods include phishing attacks that steal credentials to those systems beforehand, compromising the victims’ domain registrar account and others.
FireEye says the campaign targets organizations in the Middle East, North Africa, Europe and North America. They include internet service and infrastructure providers, governments and “sensitive commercial entities,” the researchers said.
“This DNS hijacking, and the scale at which it has been exploited, showcases the continuing evolution in tactics from Iran-based actors,” report says.
The campaign’s link to Iran, which the researchers assert “with moderate confidence,” is based on the observation of IP addresses involved in past campaigns attributed to “Iranian cyber espionage actors,” the report says. Additionally, the information being compromised “would be of interest to the Iranian government and have relatively little financial value.”
The report says that while the campaign shows sophistication of methods, “they may not be exclusive to a single threat actor as the activity spans disparate timeframes, infrastructure, and service providers.”
FireEye includes technical advice in its report for how to protect against this type of attack, but says that it can be tricky because the attacker doesn’t necessarily have to compromise the victim’s own network to steal critical information.
UPDATE, 5:54 p.m., EDT 01/10/19: This story has been updated to include an alert from the the Department of Homeland Security.