April 18, 2019

Government domain hijack campaign “likely” to be espionage

By Lucy Ingham

An extensive cyberattack campaign that sees government, intelligence agency and key infrastructure providers’ domains hijacked is likely to be espionage activity, according to a cybersecurity expert.

The government domain hijack campaign was discovered by Cisco’s Talos cybersecurity unit, and was broken by Techcrunch on Wednesday.

In the campaign, the domain name system (DNS) of key websites are being hijacked, meaning the sites are rerouted to malicious servers used to steal the passwords of users.

It has seen a total of 40 organisations across 13 countries, including government and intelligence agencies, telecom companies and internet providers, being targeted.

While the attack bears a resemblance to several other DNS hijacking campaigns targeting government websites, Talos believes this is a new threat actor that is backed by a nation-state organisation.

“This is a new group that is operating in a relatively unique way that we have not seen before, using new tactics, techniques, and procedures,” said Craig Williams, director of outreach at Cisco Talos, in an interview with TechCrunch.

The motives for the government domain hijack campaign

For Corin Imai, senior security advisor at Domain Tools, it is probably that the group is using DNS hijacking as part of a spying operation.

“The fact that these websites are associated with government and infrastructure targets, it is likely that the aim of this hijacking campaign is espionage,” he said.

It is particularly effective to combine DNS hijacking with these kinds of targets as to users – who are likely to have access to information that is of significant value to an adversarial nation state – the site will appear to be functioning normally, making it likely they will be fooled into giving away login details.

“DNS hijacking is a particularly dangerous attack technique due to the wide variety of malicious activity that it can facilitate,” said Imai.

“Whether the redirected traffic is used for phishing purposes, or in order to provide targeted advertisements to people using specific websites, it can be a powerful tool.”

Read more: Hackers steal passport details from Pakistani Government site


Verdict deals analysis methodology

This analysis considers only announced and completed cross border deals from the GlobalData financial deals database and excludes all terminated and rumoured deals. Country and industry are defined according to the headquarters and dominant industry of the target firm. The term ‘acquisition’ refers to both completed deals and those in the bidding stage.

GlobalData tracks real-time data concerning all merger and acquisition, private equity/venture capital and asset transaction activity around the world from thousands of company websites and other reliable sources.

More in-depth reports and analysis on all reported deals are available for subscribers to GlobalData’s deals database.

Topics in this article: ,