Alex - Fotolia

State-sponsored hackers are hijacking DNS, researchers warn

A DNS-hijacking campaign targeting the Middle East and Africa may lead to actors more broadly attacking the global DNS system

A cyber attack campaign dubbed “Sea Turtle” focused on hijacking the domain name system (DNS) is targeting public and private entities including national security organisations in the Middle East and Africa, prompting security researchers to urge organsations around the globe to ensure they are protected.

The ongoing campaign features the first publicly confirmed case of a DNS registry compromise and is believed to have started as early as January 2017. It has compromised at least 40 organisations across 13 countries, according to researchers at Cisco’s Talos security division.

“We assess with high confidence that this activity is being carried out by an advanced, state-sponsored actor that seeks to obtain persistent access to sensitive networks and systems,” they said in a blog post.

The campaign features DNS hijacking in which the attackers illicitly modify DNS name records to point users to actor-controlled servers.

In January 2019, the US Department of Homeland Security (DHS) issued an emergency directive in an effort to halt a campaign of DNS infrastructure tampering attacks, warning that an attacker could redirect user traffic and obtain valid encryption certificates for an organisation’s domain names.

A few days later, the UK’s National Cyber Security Centre (NCSC) announced it was probing a large-scale DNS hijacking campaign that had reportedly affected government and commercial organisations worldwide, and issued defence advice.

DNS is a foundational technology supporting the internet, the researchers said. “Manipulating that system has the potential to undermine the trust users have on the internet,” they added. “That trust and the stability of the DNS system as a whole drives the global economy.”

In the Sea Turtle campaign, researchers found that targets fell into two main groups. The first includes national security organisations, ministries of foreign affairs, and prominent energy organisations.

In attacking this group, the attackers targeted third-party entities that provide services to the main targets to obtain access, said the researchers.

The second target group includes DNS registrars, telecommunication companies and internet service providers.

Read more about DNS security

“One of the most notable aspects of this campaign was how they were able to perform DNS hijacking of their primary victims by first targeting these third-party entities,” said the researchers, who described the threat as “severe” in the light of the actor’s methodology in targeting various DNS registrars and registries.

The researchers said the campaign represents an ongoing, high degree of threat to organisations in the targeted regions. “Due to the effectiveness of this approach, we encourage all organisations, globally, to ensure they have taken steps to minimise the possibility of malicious actors duplicating this attack methodology,” they said.

To protect against this type of attack, organisations should use a registry lock service, which will require an out-of-band message before any changes can occur to an organisation’s DNS record, the researchers said.

If a registrar does not offer a registry lock service, the researchers recommend implementing multi-factor authentication (MFA) to access DNS records. They also recommend applying patches, especially on internet-facing machines. “Network administrators can monitor passive DNS record on their domains to check for abnormalities,” they added.

Corin Imai, senior security adviser at cyber threat intelligence firm DomainTools, said DNS hijacking is a particularly dangerous attack technique because of the wide variety of malicious activity it can facilitate.

“Whether the redirected traffic is used for phishing purposes, or to provide targeted advertisements to people using specific websites, it can be a powerful tool,” said Imai. “The fact that these websites are associated with government and infrastructure targets means it is likely that the aim of this hijacking campaign is espionage. What is more, this is not the first time Sea Turtle has been caught, but they continue to successfully break the trust model of the internet.”

Kris Beevers, CEO of DNS security services firm NS1, said cyber attackers are recognising that DNS is a relative weak point in the mitigation strategies of enterprises, governments and other organisations relative to the potential malicious impact they can have by attacking DNS.

“Previous attacks also compromised the registrar in some cases, but this is more significant,” said Beevers. “The bad actors are exploring all the angles they can to take advantage of this weak point, and we will continue to see attacks against the DNS control plane [registrars, authoritative DNS systems] and against the caching hierarchy of DNS, such as DNS poisoning attacks, until target organisations raise the barrier to impact and widely implement well-known best-practice domain security measures as identified in Icann’s checklist.”

Beevers said protection against these kinds of attack and other common attacks, such as distributed denial of service (DDoS), requires organisations to implement:

“We continue to see attackers take advantage of the central role DNS plays in orchestrating all internet and application traffic,” said Beevers. “Organisations must continue common security practices as well, including DNSSEC signing of every domain and DNS network redundancy to limit the impact of targeted DDoS against DNS networks.”

Read more on Hackers and cybercrime prevention