DHS issues security alert about recent DNS hijacking attacks

January 31, 2019
Domain Monitoring

DHS spreads out four-advance activity plan for researching DNS hacks and securing DNS management accounts.

The US Department of Homeland Security (DHS) has distributed today an ” emergency directive” that contains guidance with respect to an ongoing report detailing a wave of DNS hijacking incidents perpetrated by Iran.

The emergency directive [1, 2] orders government agencies to audit DNS records for unauthorized changes, password alteration, and enable multi-factor authentication for all accounts through which DNS records can be managed.

The DHS documents likewise asks government IT personnel to monitor Certificate Transparency (CT) logs for recently issued TLS certificates that have been issued for government domains, but which have not been requested by government workers (a sign that a malicious actor has hijacked a government domain’s DNS records, and is now requesting TLS certificates).

The emergency directive comes after a week ago, the DHS issued an alert about ongoing DNS hijacking attacks through its US-CERT division.

The DHS US-CERT alert was based on a report published a week ago by US cyber-security firm FireEye. The now notorious report detailed a coordinated hacking campaign during which a cyber-espionage group believed to operate out of Iran had manipulated DNS records for the domains of private companies and government agencies.

The reason for these DNS hijacks was to divert web traffic implied for companies and agencies’ internal email servers towards malicious clones, where the Iranian hackers would record login credentials.

According to Fireye, the alleged Iranian group changed DNS records for victim companies/agencies in the wake of hacking into web hosting or domain registrar accounts, where they modified the DNS records of official websites, pointing web traffic towards their malicious servers, and later diverting the legitimate traffic to victim’s legitimate site after collecting login details.


The Cybersecurity and Infrastructure Security Agency’s (CISA) Cybersecurity Division leads domain monitoring efforts in protecting government agencies domain and network with corroboration with the private sector.


The department also urged agencies to update their passwords for all accounts on systems that can make changes to agency DNS records, and to implement multi-factor authentication for accounts on DNS admin systems. Finally, agencies are being directed domain monitoring certificate transparency logs.

The warning comes as the U.S. government enters its 33rd day of a shutdown (as of Wednesday), a longstanding incident which has sparked concerns about its impact across the board when it comes to security.


About the author

Leave a Reply