The actors responsible for the DNSpionage DNS hijacking campaign have altered some of their tactics, techniques and procedures (TTPs), introducing a new reconnaissance phase as well as a new malicious remote administration tool called Karkoff.

Discovered last November, the operation primarily targets Lebanon- and United Arab Emirates-affiliated .gov domains, commandeering the websites' DNS servers so that visitors are redirected to a malicious Internet address that harvests users' login credentials, for espionage purposes. The threat actors initially accomplish this compromise by infecting their targets via phony documents with malicious attachments.

The campaign, which has prompted warnings from the Department of Homeland Security and the Internet Corporation for Assigned Names and Numbers ICANN, has been potentially linked to Iran's Ministry of Intelligence, and now a new blog post from Cisco Systems' Talos division has revealed yet another possible connection, while also detailing DNSpionage's newly adopted TTPs.

Please register to continue.

Already registered? Log in.

Once you register, you'll receive:

  • News analysis

    The context and insight you need to stay abreast of the most important developments in cybersecurity. CISO and practitioner perspectives; strategy and tactics; solutions and innovation; policy and regulation.

  • Archives

    Unlimited access to nearly 20 years of SC Media industry analysis and news-you-can-use.

  • Daily Newswire

    SC Media’s essential morning briefing for cybersecurity professionals.

  • Learning Express

    One-click access to our extensive program of virtual events, with convenient calendar reminders and ability to earn CISSP credits.