A tentative connection has been made to Iranian-inspired actors for a wave of DNS attack being conducted against targets in Middle East and North Africa, Europe and North America.
FireEye’s Mandiant Incident Response and Intelligence teams tempered its belief that Iran is behind the attacks noting work continues on attribution, but enough evidence exists for the team to give moderate confidence the attacks stem from persons based in Iran.
“FireEye Intelligence identified access from Iranian IPs to machines used to intercept, record and forward network traffic. While geolocation of an IP address is a weak indicator, these IP addresses were previously observed during the response to an intrusion attributed to Iranian cyberespionage actors. The entities targeted by this group include Middle Eastern governments whose confidential information would be of interest to the Iranian government and have relatively little financial value,” the report said.
The organizations being targeted are telecoms, ISPs, internet infrastructure providers, government and commercial entities. The campaign ran from January 2017 to January 2019 and used multiple, non-overlapping clusters of actor-controlled domains and IPs and a wide range of providers were chosen for encryption certificates and VPS hosts, FireEye said.
FireEye was unable to specify the exact attack vector used against each target and said there is a possibility multiple vectors were used in each case, but a few clues were available to shed some light on the issue.
“FireEye intelligence customers have received previous reports describing sophisticated phishing attacks used by one actor that also conducts DNS record manipulation. Additionally, while the precise mechanism by which the DNS records were changed is unknown, we believe that at least some records were changed by compromising a victim’s domain registrar account,” the report said.
In November Cisco Talos reported on what is likely one aspect of this campaign when it came across attacks targeting Lebanese and the United Arab Emirates .gov domains. The attackers gained initial entry using two fake job-oriented websites and malicious Microsoft Office documents with embedded macros, Cisco Talos wrote at the time.