Yesterday, the U.S. Department of Homeland Security (DHS) Cybersecurity and Infrastructure Security Agency (CISA) issued an emergency directive to address ongoing incidents associated with global Domain Name System (DNS) infrastructure tampering. CISA is aware of multiple executive branch agency domains that were impacted by the tampering campaign and has notified the agencies that maintain them. The directive requires Federal agencies to take specific steps and comply with reporting procedures to mitigate risks from undiscovered tampering, prevent illegitimate DNS activity, and detect unauthorized certificates.
Emily Hacker, Security Researcher at DomainTools:
“DNS hijacking is a particularly dangerous attack technique due to the wide variety of malicious activity that it can facilitate. Whether the redirected traffic is used for phishing purposes, or in order to provide targeted advertisements to people using specific websites, it can be a powerful malicious tool in the wrong hands. The fact that these websites are associated with government and infrastructure targets and the attribution points in the direction of Iran, it is fairly likely that the aim of this hijacking campaign is espionage. This should be taken extremely seriously, and the organizations whose websites have been affected should take the necessary preventative measures in order to avoid further situations such as this.”