DHS issues emergency directive to counter DNS hijacking campaign

The Department of Homeland Security issued an emergency directive Jan. 22 to nearly all federal agencies mandating cybersecurity actions to mitigate a global Domain Name System infrastructure hijacking campaign.

In a Jan. 22 letter signed by Director Christopher Krebs, the Cybersecurity and Infrastructure Security Agency said it is "aware of multiple executive branch agency domains that were impacted by the tampering campaigns and has notified the agencies that maintain them."

Agencies will have 10 business days to audit public DNS records and secondary DNS servers, update passwords for all accounts on systems that can change DNS records, add multi-factor authentication and monitor certificate transparency logs. The directive applies to all executive branch departments and agencies except for the Department of Defense, the Central Intelligence Agency and the Office of the Director of National Intelligence.

CISA wants preliminary status reports by Friday, Jan. 25, and a completed action report no later than Feb. 5. Krebs said the agency is ready to provide technical and logistical assistance to agencies who detect anomalous activity or are unable to implement the directive.

In the letter, Krebs writes that CISA has observed instances where attackers compromise or obtain login credentials to accounts that can make changes to DNS records. After altering the address, an attacker then directs user traffic to a controlled address and obtains encryption certificates that allow them to decrypt and read incoming traffic.

"This allows the redirected traffic to be decrypted, exposing any user-submitted data," Krebs writes. "Since the certificate is valid for the domain, end users receive no error warnings."

The directive comes after DHS and private threat intelligence firm FireEye issued previous warnings about the campaign earlier this month. The FireEye post said the campaign involved "dozens" of domains throughout North America, Europe, North Africa and the Middle East, affecting governments, telecommunications companies and internet infrastructure entities.

FireEye's analysis did not make a formal attribution, but expressed "moderate confidence" that the activity was linked to groups based out of Iran, with some of the IP addresses tracked being used in a previous campaign attributed to Iranian cyber espionage actors. The DHS letter and alert do not mention Iran or provide any information regarding attribution.

CyberScoop first reported on the impending directive shortly before it was publicly released.