"There is an ongoing and significant risk to key parts of the Domain Name System (DNS) infrastructure," the Internet Corporation for Assigned Names and Numbers (ICANN) said in a February 22 statement. DNS is responsible for routing internet traffic to its intended destination.
These attacks enable hostile parties to snoop on data being sent through the DNS, to redirect traffic to other locations and even to impersonate or "spoof" the destination website, ICANN specialists told AFP.
"They are going after the internet infrastructure itself," ICANN Chief Technology Officer David Conrad said. "There have been targeted attacks in the past, but nothing like this."
"This is roughly equivalent to someone lying to the post office about your address, checking your mail and then hand delivering it to your mailbox. Lots of harmful things could be done to you (or the senders) depending on the content of that mail," Chris Krebs, director of the Cybersecurity and Infrastructure Security Agency, said in a blog post on January 24.
The CISA is a newly minted agency of the Department of Homeland Security, formerly called the National Protection and Programs Directorate (NPPD), elevated to the status of agency by a November 2018 act of Congress.
"It's a really big deal if this is used, because they essentially get all email traffic, if they do it right. It's not like, ‘Oh, they got onto one machine and got one dude's files.' If you're intercepting all the files that are going to a [mail exchanger] record, for example, you could read all of a domain's emails," Ben Read, a senior manager at cybersecurity company FireEye, told Nextgov last month.
"This information is getting intercepted and stolen when it's outside your network — when it's transiting," Read said. "My anti-virus isn't going to fire, and there's nothing on the government server itself that is going to be inherently malicious. It's just getting intercepted in the middle, taking advantage of what is a blind spot."
"This attack, in theory, could have been done 20 years ago," Read said, noting that the vulnerability dates to the internet's genesis. "We've seen incidents of it before…. But the breadth of [this latest attack], we, at least, haven't seen before."
However, ICANN did provide a simple solution: domain owners need to start using DNSSEC (Domain Name System Security Extensions), a more secure version of DNS that cryptographically signs data, making it much harder to manipulate or impersonate, Tech Crunch reported.
"This particular type of attack, which targets the DNS, only works when DNSSEC is not in use. DNSSEC is a technology developed to protect against such changes by digitally 'signing' data to assure its validity. Although DNSSEC cannot solve all forms of attack against the DNS, when it is used, unauthorized modification to DNS information can be detected, and users are blocked from being misdirected," ICANN wrote.
"ICANN has long recognized the importance of DNSSEC and is calling for full deployment of the technology across all domains. Although this will not solve the security problems of the Internet, it aims to assure that Internet users reach their desired online destination by helping to prevent so-called ‘man in the middle' attacks where a user is unknowingly redirected to a potentially malicious site," the company said, noting that using Transport Layer Security (most typically used in HTTPS) can further protect communication between users and domains.
Read refers to a series of attacks that set off alarm bells in DHS at the beginning of the year, with FireEye reporting on January 9 that "initial research suggests the actor or actors responsible have a nexus to Iran." It's unclear whether or not the company meant the Iranian government or simply individuals inside the country.
The company cautioned that it wasn't able to link the activity to any particular group, but noted: "While this campaign employs some traditional tactics, it is differentiated from other Iranian activity we have seen by leveraging DNS hijacking at scale."
The DNSpionage attacks reportedly attempted to steal account credentials, such as email passwords, in Lebanon and the United Arab Emirates, Crowdstrike cybersecurity firm Vice President of Intelligence Adam Meyers told AFP. He noted that similar attacks had also targeted governments, intelligence services, police, airlines and the oil industry in both the Middle East and in Europe.
That said, claims by FireEye should be taken with a Dead Sea's worth of salt, as the company was bankrolled with CIA money via the agency's venture capital arm, In-Q-Tel, as Sputnik has previously reported.
In a 2009 statement, IQT said the CIA would maintain a "strategic partnership" with FireEye, calling it a "critical addition to our strategic investment portfolio for security technologies."
It's even more ironic that one of the countries supposedly attacked was the United Arab Emirates, considering the vast espionage operation dubbed "Project Raven" the US National Security Agency (NSA) ran out of that country in partnership with the Emirati government, spying on foreign governments, journalists and human rights activists as well as US citizens. Knowledge of Project Raven was divulged only last month by former NSA employee Lori Stroud, Sputnik reported.
Crowdstrike, too, is a company with serious connections to the US defense apparatus, including having its founder, Dmitri Alperovitch as a "senior fellow" at hawkish foreign policy think tank the Atlantic Council, which gets lots of money from NATO, defense contractors and Gulf monarchies, as Sputnik has previously reported.