Six US government agencies targeted in DNS hijacking attacks

US Department of Homeland Security emergency order issued in response to claims of Iranian DNS hijacking attacks

A US House of Representatives congressman, Jim Langevin, has called for the US Department of Homeland Security to come clean about Domain Name System (DNS) hijacking threats after the Department issued an emergency order on Tuesday.

The Cybersecurity and Infrastructure Security Agency's Emergency Directive 19-01 (PDF), 'Mitigate DNS Infrastructure Tampering', was issued in response to a series of cyber attacks launched against six US government agencies. The attacks are believed to originate from Iran.

"The Department of Homeland Security (DHS) Cybersecurity and Infrastructure Security Agency (CISA) is tracking a series of incidents involving Domain Name System (DNS) infrastructure tampering.

"CISA is aware of multiple executive branch agency domains that were impacted by the tampering campaign and has notified the agencies that maintain them," the order states.

"Using the following techniques, attackers have redirected and intercepted web and mail traffic, and could do so for other networked services.

1. The attacker begins by compromising user credentials, or obtaining them through alternate means, of an account that can make changes to DNS records.

2. Next, the attacker alters DNS records, like Address (A), Mail Exchanger (MX), or Name Server (NS) records, replacing the legitimate address of a service with an address the attacker controls. This enables them to direct user traffic to their own infrastructure for manipulation or inspection before passing it on to the legitimate service, should they choose. This creates a risk that persists beyond the period of traffic redirection.

3. Because the attacker can set DNS record values, they can also obtain valid encryption certificates for an organization's domain names. This allows the redirected traffic to be decrypted, exposing any user-submitted data. Since the certificate is valid for the domain, end users receive no error warnings."

According to CyberScoop, at least six US government agencies have been affected by malicious DNS activity. The agencies were given ten days to implement two-factor authentication in order to tighten up security.

But with the US government shutdown, Langevin suggested that it would not be possible for the agencies to comply in time and has called for more information to be released. "We need to understand the scope of this action and how many agencies were actually affected," he told Cyber Scoop.

The alleged Iranian attack comes after claims were made late last year over a series of Border Gateway Protocol (BGP) hijacking incidents in which internet traffic from the US and other parts of the world were re-routed via China.

A paper published in October 2018 accused China Telecom of exploiting its privileged position within internet points-of-presence worldwide to hijack traffic on a regular basis. "Today, most BGP hijacks are the work of government agencies or large transnational criminal organisations with access to, leverage over, or control of strategically placed internet service providers," claimed the report.

Few other non-American internet service providers or communications companies enjoy such a widespread presence across the US internet backbone.

"Using these numerous points-of-presence, China Telecom has already relatively seamlessly hijacked the domestic US and cross-US traffic and redirected it to China over days, weeks and months… The pattens of traffic revealed in trace route research suggests repetitive IP hijack attacks committed by China Telecom," claimed the report.