Security researchers believe Iran has spent the last two years stealing data from telecoms, governments, and other organizations.
IRANIAN HACKERS HAVE BEEN VERY ACTIVE RECENTLY, launching a slew of targeted attacks across the Middle East and beyond. And, this week, the threat intelligence firm FireEye released a report detailing a massive global data-snatching campaign carried out over the last two years that the firm has tentatively linked to Iran.
Hackers in the Middle East, North Africa, Europe, and North America have stolen sensitive data such as login credentials and business details from telecoms, internet service providers, government organizations, and other institutions using a classic tactic to undermine data security as it moves across the web. According to FireEye researchers, the targets and types of data stolen are consistent with Iranian government espionage interests—and whoever is responsible for the massive attack now has a trove of data that could fuel future cyberattacks for years.
“It’s consistent with what we’ve seen Iran do in the past, and the signs point there,” says Ben Read, senior manager of cyber-espionage analysis at FireEye. “This is not the end of the story.”
The attackers used variations on the DNS hijacking technique to steal so much sensitive data from dozens of targets. This method exploits flaws in the foundational protocols that underpin the internet to divert data into the hands of attackers.
“The Iranians aren’t putting in this much effort for the sake of it.” – CYXTERA, DAVE AITEL
Because of a behind-the-scenes process of “Domain Name System” checks, when you load a website in a browser or use a web service, you receive the correct content from the correct web server. DNS servers, which are essentially the internet’s equivalent of phone book lookups, reveal the path a browser or service must take to connect with its intended destination.
Consider this: If you change other phone numbers in the phonebook to your own, or change the infrastructure so that a bunch of other numbers also ring on your line, you can listen in on all kinds of calls without your targets realizing anything is wrong.
Hackers have been manipulating DNS records since January 2017 to intercept email data, usernames, passwords, and details about organizations’ web domains in the case of the massive DNS hijacking spree discovered by FireEye.
The technique isn’t new; attackers have been using DNS hijacking for years, and the security research community has been aware of the possibility for decades. However, according to FireEye’s Read, the approach has recently grown in popularity as awareness of the need for cybersecurity defense has grown and institutions have made progress in locking down their networks. DNS hijacking is a relatively simple way to gain access to internal data without ever having to enter an organization’s systems.
“What they want is the information,” Read explains. “They don’t mind where they get it from.”
Over the last five years, Iranian hackers have steadily increased their digital intelligence-gathering operations, targeting everything from government information to intellectual property and data from research universities. In these campaigns, they frequently use refined spear phishing attacks to steal credentials and penetrate networks. When that is not possible or does not work, DNS hijacking may fill in the gaps and provide more obscure credentials.
To help protect against a DNS hijacking attack, FireEye recommends that organizations monitor mail server certificates and check where their domains are pointing to help detect suspicious behavior. “It implies that nobody is keeping track when certs change,” says Dave Aitel, a former NSA researcher who is now the chief security technology officer at Cyxtera, of the findings. And, while attackers take advantage of these open doors wherever they can, the effort they put into fine-tuning targeted attacks hints at the value of the data that emerges from them. “The Iranians aren’t putting in this much effort for the sake of it,” Aitel says.
Other threat intelligence research organizations, such as Cisco Talos, have previously identified various components of the malicious campaign. Furthermore, FireEye emphasizes that DNS hijacking campaigns are difficult to track because it can be difficult to determine how attackers were able to manipulate specific DNS records and the extent of the data compromised.
All the more reason why this hacking spree could be the catalyst for a slew of future attacks.
“We haven’t even scratched the surface of this particular campaign,” Read says. “Even after we published our blog post, we discovered new domains that appeared to have been hijacked since.”