The Department of Homeland Security said in Jan. 22 emergency directive that multiple executive agency websites have been harmed by a hacking campaign, although it is not clear what exactly has been affected or which agencies are involved.
The attack involves targeting the Domain Name System, the department said, which is the backbone of the internet’s address system.
“Using compromised credentials, an attacker can modify the location to which an organization’s domain name resources resolve,” the department’s Computer Emergency Readiness Team said Jan. 10 in a post on DNS hijacking. “This enables the attacker to redirect user traffic to attacker-controlled infrastructure and obtain valid encryption certificates for an organization’s domain names, enabling man-in-the-middle attacks.”
Homeland Security ordered federal agencies to take four steps within 10 business days. That process included auditing DNS records, changing DNS account passwords, adding multi-factor authentication and monitoring certificate logs. It’s not clear how many employees will be effected by the change or if the changes can take place during a partial government shutdown.
The Washington Post reported that no intelligence or Defense Department networks have been affected, citing U.S. officials.
The emergency directive is one of the most significant public operations undertaken by the Cybersecurity and Infrastructure Security Agency since it was created in November, 2018.
In a previous update that detailed the DNS attack, Homeland Security referred to an analysis from the threat intelligence firm FireEye.
Then, FireEye said the DNS hacking campaign has “affected dozens of domains belonging to government, telecommunications and internet infrastructure entities across the Middle East and North Africa, Europe and North America.”
FireEye said there was evidence Iran was behind the campaign, citing IP addresses.
The threat intelligence firm said it found no clear pattern in how the attackers gained access to the DNS files, but added that in some instances used “sophisticated phishing attacks.”
“This type of attack is difficult to defend against, because valuable information can be stolen, even if an attacker is never able to get direct access to your organization’s network,” FireEye said. “This DNS hijacking, and the scale at which it has been exploited, showcases the continuing evolution in tactics from Iran-based actors.”
Justin Lynch is the Associate Editor at Fifth Domain. He has written for the New Yorker, the Associated Press, Foreign Policy, the Atlantic, and others. Follow him on Twitter @just1nlynch.