As part of an emergency directive, the Department of Homeland Security (DHS) ordered federal government agencies to carry out audits on Domain Name System (DNS) records. This followed a series of earlier attempts by unidentified hijackers to gain access and fraudulently use the DNS files. The highjack affected six executive branch agencies.
DHS act to tackle the DNS hijacking incidents
Consequently, the DHS responded in the Directive with the following:
“In coordination with government and industry partners, the Department of Homeland Security (DHS) Cybersecurity and Infrastructure Security Agency (CISA) is tracking a series of incidents involving Domain Name System (DNS) infrastructure tampering. CISA is aware of multiple executive branch agency domains that were impacted by the tampering campaign and has notified the agencies that maintain them.”
The hijackers intercepted web traffic and redirected mail traffic with some of the acts carried out. The aim was to get access to fraudulent SSL/TSL certificates and manipulate DNS records.
Contents of the order
The order required all account users with access to DNS records to immediately update their passwords. It also required agencies to add certificate transparency log monitoring and deploy multi-factor authentication to log into systems.
Moreover, the order assigned the responsibility of overseeing the process, providing guidance and technical assistance to the Cybersecurity and Infrastructure Security Agency (CISA).
The DHS did not release much information about what happened, yet carried out the rare act of implementing an emergency directive. Suspicion arose around this, leaving questions about who the threat actor/s was. This caused many to believe the hijackers were most likely national/state level threat actors. Firstly, Iran was mentioned as a suspect in FireEyes’ recent report that alerted the DHS. Furthermore, prior to the directive, a coordinated hacking campaign took place. Across the Middle East, Europe and the US, hijackers made a series of attempts to steal or compromise credentials to gain access to DNS files. Secondly, industries affected included critical infrastructures and the government, bringing the connection between both instances.
The government agencies have 10 days to carry out the actions outlined in the order.