January 12, 2019 at
National Cybersecurity and Communications Integration Center of the Department of Homeland Security has just issued an alert regarding a newly reported hacking spree which targets any unprotected information. The alert was based on the recent report published by a cybersecurity firm, FireEye.
According to FireEye’s report, hackers are using a well-known tactic for undermining data that flows across the internet. This allowed them to capture all kinds of information, including sensitive data such as business details, login credentials, as well as info belonging to the government, ISPs, telecoms, and many others. The report also claims that the attack is not focusing on a single area, but instead it affects the entire world.
FireEye’s senior manager of cyber-espionage analysis, Ben Read, stated that this is an attack that aims to collect as much information as possible. Any information will do, and hackers do not care where they will get it from, or who will be affected.
How does the attack work?
According to researchers, hackers are using a technique called DNS hijacking, which is a method that exploits different flaws in foundational protocols which underpin the internet. By doing this, they are re-directing data towards them.
To put it simply, whenever internet users go online and visit various websites, there is a background process of DNS (Domain Name System) checks that are performed. That way, the internet provides the user with the information they requested. By changing the location where the user traffic will go, hackers can get information that would otherwise be unobtainable.
In other words, they are modifying internet traffic within different organizations in order to steal as much sensitive data as possible. To do this, they use three methods — changing DNS records so that the victim’s information would proceed to the hacker-controlled server, modifying the DNS records, and deploying a method which can combine the other two into one.
The researchers noted that the details regarding the mechanism behind the attack are still unknown, but it is clear what the attackers wish to accomplish.
These techniques are not a new thing, either, and similar methods were used by hackers for DNS hijacking for a long time. Security researchers were supposedly also aware of the possibility to exploit these flaws for a long time too. However, what really triggered this method of stealing data is the increased awareness of online dangers, which directly influenced the protection levels of various institutions, organizations, as well as regular individuals. By stealing data through DNS hijacking, there is no real need for hackers to break into specific systems; they can just collect it as it travels the internet.
Who is behind the attacks?
According to FireEye, there is a large possibility that the attackers are based in Iran. Read has also stated that the current attacks are similar to what Iranian hackers were doing in the past and that there are many signs that point towards this country.
This method of collecting information was first observed in January 2017, which means that hackers were stealing this information for at least two years. Researchers have also noted that the amount of data that they collected can fuel years of future cyber attacks. Another thing worth noting is that researchers supposedly noticed the attacks a long time ago, but they are only publishing this knowledge now due to a large number of affected entities.
This information matches other data regarding Iranian hackers, such as their increased activity in digital data gathering, which has grown a lot within the last five years. Hackers usually steal any information they can get to, and most of the time, they resorted to refined spear phishing attacks in their campaigns. These attacks have seemingly grown ineffective, and now DNS hijacking has become their main method of gaining sensitive data.
In the meanwhile, organizations are recommended to carefully review FireEye’s report and gain insight into the problem. Additionally, IT experts are advised to implement additional protection methods on domain registrar accounts and other systems. One additional protective layer believed to be the most useful in multifactor authentication, but anything else that security specialists can think of should be added in order to protect sensitive information.