The U.S. government — along
with a number of leading security companies — recently warned about a series of
highly complex and widespread attacks that allowed suspected Iranian hackers to
siphon huge volumes of email passwords and other sensitive data from multiple
governments and private companies. But to date, the specifics of exactly how
that attack went down and who was hit have remained shrouded in secrecy.
This
post seeks to document the extent of those attacks and traces the origins of
this overwhelmingly successful cyber espionage campaign back to a cascading
series of breaches at key Internet infrastructure providers.
Before we delve into the extensive research that culminated in
this post, it’s helpful to review the facts disclosed publicly so far. On Nov.
27, 2018, Cisco’s
Talos research division published a write-up outlining the contours of a
sophisticated cyber espionage campaign it dubbed “DNSpionage.” The
DNS part of that moniker refers to the global “Domain Name System,”
which serves as a kind of phone book for the Internet by translating
human-friendly Web site names (example.com) into numeric Internet address that
are easier for computers to manage.
Talos said the perpetrators of
DNSpionage were able to steal email and other login credentials from a number
of government and private sector entities in Lebanon and the United Arab
Emirates by hijacking the DNS servers for these targets, so that all email and
virtual private networking (VPN) traffic was redirected to an Internet address
controlled by the attackers.
Talos
reported that these DNS hijacks also paved the way for the attackers to obtain
SSL encryption certificates for the targeted domains (e.g.
webmail.finance.gov.lb), which allowed them to decrypt the intercepted email
and VPN credentials and view them in plain text.
On January 9, 2019, security
vendor FireEye released its report, “Global DNS Hijacking Campaign: DNS
Record Manipulation at Scale,” which went into far greater technical detail
about the “how” of the espionage campaign, but contained few additional details
about its victims.
About the same time as the FireEye report, the U.S. Department of Homeland
Security issued a rare emergency directive ordering all U.S. federal civilian agencies to secure the
login credentials for their Internet domain records. As part of that mandate,
DHS published a short list of domain names and Internet addresses that were
used in the DNSpionage campaign, although those details did not go beyond what
was previously released by either Cisco Talos or FireEye.
Best Regards ,
Web Admin
LATVIK SECURE
LATVIK TECHNOLOGIES ™
