Alfa Bank DNS Botnet Attacks

By   ISBuzz Team
Writer , Information Security Buzz | Mar 21, 2017 09:00 am PST

Late last week in a formal press statement, Alfa Bank, a privately owned Russian bank, disclosed that it was subjected to three recent cyberattack attempts on its servers made to appear that it was communicating with the Trump Organization. According to Alfa Bank, “In the attacks, multiple domain name server DNS requests were made by unidentified individuals, mostly using U.S. server providers, to a Trump Organization server. The DNS requests were made to appear as if they originated from Alfa Bank. The DNS responses from the Trump server were then erroneously returned to Alfa Bank, activating Alfa Bank’s automated security systems on February 18 and again on March 11 and 13.”

Alfa Bank’s believes these attacks are being launched from a botnet resulting in “more than 1,340 DNS responses containing”, and that these attacks were created to give the false impression that Alfa Bank has a secretive relationship with the Trump Organization. Mark McArdle, CTO at Cyber Security Company eSentire commented below.

Mark McArdle, CTO at Cyber Security Company eSentire:

Mark McArdle“A botnet is typically associated with an attack that leverages scale, as it can employ thousands (potentially millions with IoT devices) of devices and use them to coordinate an attack on a target. We’ve seen this with some big DDoS attacks. We also see botnets being used as platforms for large-scale spamming. However, the number of DNS connections reported in the Alfa Bank attacks (1,340 in once case) don’t indicate massive scale. A botnet however can be used to add another layer of obfuscation between you and your attacker. Following the breadcrumbs back could bring you to a PVR that has been hacked and is now part of a botnet. I suspect in this case, the botnet is being used more for obfuscation of identity than scale. The attackers may be using a botnet to send spoofed DNS requests to a legitimate Trump server using a spoofed “reply-to” address inside Alfa-Bank’s infrastructure.

Spoofing DNS lookups is not very difficult, since DNS is not authenticated, and the ability to spoof source addresses is unfortunately still available – all you need is a system to launch your attack from that is connected to the Internet via an ISP that doesn’t filter out spoofed source addresses. While this type of attack has been around for a while, what’s new in this case is that someone is using it to try and contrive evidence of a relationship where neither party sought one.

Additionally, there is also reference in Alfa Bank’s statement about Spam messages from It’s also possible to spoof email (spammers do this all the time). A spoofed email could include a reference to a legitimate Trump Org server and a real connection would be established if a user clicked on it (or selected “show images” in the email). Again, this does not mean the email came from Trump Org, just that it was sent in order to attempt to solicit “a connection” between Trump Org and Alfa-Bank.”