Cybersecurity

DHS issues emergency directive to counter DNS hijacking campaign

The Department of Homeland Security issued an emergency directive Jan. 22 to nearly all federal agencies mandating cybersecurity actions to mitigate a global Domain Name System infrastructure hijacking campaign.

In a Jan. 22 letter signed by Director Christopher Krebs, the Cybersecurity and Infrastructure Security Agency said it is "aware of multiple executive branch agency domains that were impacted by the tampering campaigns and has notified the agencies that maintain them."

Agencies will have 10 business days to audit public DNS records and secondary DNS servers, update passwords for all accounts on systems that can change DNS records, add multi-factor authentication and monitor certificate transparency logs. The directive applies to all executive branch departments and agencies except for the Department of Defense, the Central Intelligence Agency and the Office of the Director of National Intelligence.

CISA wants preliminary status reports by Friday, Jan. 25, and a completed action report no later than Feb. 5. Krebs said the agency is ready to provide technical and logistical assistance to agencies who detect anomalous activity or are unable to implement the directive.

In the letter, Krebs writes that CISA has observed instances where attackers compromise or obtain login credentials to accounts that can make changes to DNS records. After altering the address, an attacker then directs user traffic to a controlled address and obtains encryption certificates that allow them to decrypt and read incoming traffic.

"This allows the redirected traffic to be decrypted, exposing any user-submitted data," Krebs writes. "Since the certificate is valid for the domain, end users receive no error warnings."

The directive comes after DHS and private threat intelligence firm FireEye issued previous warnings about the campaign earlier this month. The FireEye post said the campaign involved "dozens" of domains throughout North America, Europe, North Africa and the Middle East, affecting governments, telecommunications companies and internet infrastructure entities.

FireEye's analysis did not make a formal attribution, but expressed "moderate confidence" that the activity was linked to groups based out of Iran, with some of the IP addresses tracked being used in a previous campaign attributed to Iranian cyber espionage actors. The DHS letter and alert do not mention Iran or provide any information regarding attribution.

CyberScoop first reported on the impending directive shortly before it was publicly released.

About the Author

Derek B. Johnson is a senior staff writer at FCW, covering governmentwide IT policy, cybersecurity and a range of other federal technology issues.

Prior to joining FCW, Johnson was a freelance technology journalist. His work has appeared in The Washington Post, GoodCall News, Foreign Policy Journal, Washington Technology, Elevation DC, Connection Newspapers and The Maryland Gazette.

Johnson has a Bachelor's degree in journalism from Hofstra University and a Master's degree in public policy from George Mason University. He can be contacted at [email protected], or follow him on Twitter @derekdoestech.

Click here for previous articles by Johnson.


Featured

  • CLOUD
    pentagon cloud

    Court orders temporary block on JEDI

    JEDI, the Defense Department’s multi-billion-dollar cloud procurement, is officially on hold, according to a federal court announcement Feb. 13.

  • Defense
    mock-up of the shore-based Aegis Combat Information Center

    Pentagon focuses on research, cyber in 2021 budget request

    The Defense Department wants to significantly increase funds for research, cyber, and cloud.

Stay Connected

FCW INSIDER

Sign up for our newsletter.

I agree to this site's Privacy Policy.