Iranian hackers have been busy lately, ramping up an array of targeted attacks across the Middle East and abroad. And a report this week from the threat intelligence firm FireEye details a massive global data-snatching campaign, carried out over the last two years, that the firm has preliminarily linked to Iran.
Using a classic tactic to undermine data security as it moves across the web, hackers have grabbed sensitive data like login credentials and business details from telecoms, internet service providers, government organizations, and other institutions in the Middle East, North Africa, Europe, and North America. FireEye researchers say the targets and types of data stolen are consistent with Iranian government espionage interests—and that whoever is behind the massive assault now has a trove of data that could fuel future cyberattacks for years.
“It’s consistent with what we’ve seen Iran do before and the signs point there, but we just wanted to get this out because it is affecting dozens of entities,” says Ben Read, senior manager of cyber-espionage analysis at FireEye. “We have not seen the last of this.”
To siphon off so much sensitive data from dozens of targets, the attackers have used variations on the technique known as DNS hijacking. This method takes advantage of weaknesses in the foundational protocols underpinning the internet to divert data into the hands of attackers.
“The Iranians aren’t going through this amount of work just for the fun of it.”
Dave Aitel, Cyxtera
When you load a website in a browser or use a web service, you receive the right content from the right web server because of a behind-the-scenes process of “Domain Name System” checks. Essentially the internet version of phonebook lookups, DNS servers reveal the path a browser or service needs to take to connect with its intended destination.
Think of it this way: If you change other numbers in the phonebook to your own, or manipulate infrastructure so a bunch of other numbers also ring on your line, you can listen in on all sorts of calls without your targets necessarily realizing that anything is wrong.
In the case of the massive DNS hijacking spree FireEye found, hackers have been manipulating DNS records since January 2017 to intercept email data, usernames, passwords, and details about organizations’ web domains.
The technique itself isn’t novel; attackers have exploited DNS hijacking for years, and the security research community has known about the possibility of it for decades. But FireEye’s Read points out that the approach has gotten even more popular recently as awareness about the need for cybersecurity defense has grown and institutions have made progress locking their networks down. DNS hijacking is a relatively easy way to still access internal data without ever needing to actually get inside an organization’s systems.
“What they’re after is the information,” Read says. “They don’t really care where they get it from.”
Iranian hackers have steadily ramped up their digital intelligence-gathering operations over the last five years, targeting everything from government information to intellectual property and data from research universities. They often use refined spear phishing attacks in these campaigns to grab credentials and penetrate networks. But when that isn’t feasible or doesn’t work, DNS hijacking may be filling in gaps and furnishing more obscure credentials.
To help protect against a DNS hijacking attack, FireEye suggests that organizations should monitor mail server certificates and check where their domains are really pointing to help catch fishy behavior. “It implies that nobody is keeping track when certs change,” Dave Aitel, a former NSA researcher who is now chief security technology officer at the secure infrastructure firm Cyxtera, says of the findings. And though attackers take advantage of these open doors wherever they can, the work they put into finessing targeted attacks still hints at the value of the data that comes out of them. “The Iranians aren’t going through this amount of work just for the fun of it,” Aitel says.
Other threat intelligence research groups, including Cisco Talos, have previously detected various components of the malicious campaign. And FireEye emphasizes that DNS hijacking campaigns are difficult to get a handle on, because it can be hard to tell how attackers were able to manipulate particular DNS records and the extent of the data compromised.
All the more reason that this hacking spree could be the progenitor of numerous future attacks.
“We have not even uncovered the full scope of this specific campaign,” Read says. “Even after we published our blog post we found new domains that had apparently been hijacked since.”