An extensive cyberattack campaign that sees government, intelligence agency and key infrastructure providers’ domains hijacked is likely to be espionage activity, according to a cybersecurity expert.
The government domain hijack campaign was discovered by Cisco’s Talos cybersecurity unit, and was broken by Techcrunch on Wednesday.
In the campaign, the domain name system (DNS) of key websites are being hijacked, meaning the sites are rerouted to malicious servers used to steal the passwords of users.
It has seen a total of 40 organisations across 13 countries, including government and intelligence agencies, telecom companies and internet providers, being targeted.
While the attack bears a resemblance to several other DNS hijacking campaigns targeting government websites, Talos believes this is a new threat actor that is backed by a nation-state organisation.
“This is a new group that is operating in a relatively unique way that we have not seen before, using new tactics, techniques, and procedures,” said Craig Williams, director of outreach at Cisco Talos, in an interview with TechCrunch.
How well do you really know your competitors?
Access the most comprehensive Company Profiles on the market, powered by GlobalData. Save hours of research. Gain competitive edge.
Your download email will arrive shortly
Not ready to buy yet? Download a free sample
We are confident about the unique quality of our Company Profiles. However, we want you to make the most beneficial decision for your business, so we offer a free sample that you can download by submitting the below formBy GlobalData
The motives for the government domain hijack campaign
For Corin Imai, senior security advisor at Domain Tools, it is probably that the group is using DNS hijacking as part of a spying operation.
“The fact that these websites are associated with government and infrastructure targets, it is likely that the aim of this hijacking campaign is espionage,” he said.
It is particularly effective to combine DNS hijacking with these kinds of targets as to users – who are likely to have access to information that is of significant value to an adversarial nation state – the site will appear to be functioning normally, making it likely they will be fooled into giving away login details.
“DNS hijacking is a particularly dangerous attack technique due to the wide variety of malicious activity that it can facilitate,” said Imai.
“Whether the redirected traffic is used for phishing purposes, or in order to provide targeted advertisements to people using specific websites, it can be a powerful tool.”