Federal networks escaped harm in DNS tampering campaign, official says

A Department of Homeland Security official said there are still "a handful" of federal agencies left who have yet to fully comply with a January 2019 emergency directive on DNS tampering and provided further insight on a budget request for technology to provide earlier detection of such threats in the future.

At a Mar. 21 meeting of the Information Security and Privacy Advisory Board, Michael Duffy, Acting Deputy Director of the Federal Network Resilience Division, briefed members on the federal government's response to a two-year global DNS tampering campaign.

Duffy confirmed many elements of previous reporting by FCW on what DHS knew about the campaign and the extent of its impact on US government agencies during and immediately after the directive was issued. At the time, he said the department had inconclusive information from outside sources indicating traffic from some agency domains could have passed through compromised domains.

"We did hear from our industry partners that agency domains were swept up as part of a set of information that [indicated] 'I don't know, we see a couple .govs in there,'" said Duffy. "At the time, we didn't know if that meant they had been had or if they were just part of a set of domains that just went through the internet pipeline."

Duffy said the agency now believes no federal agencies were directly impacted by the campaign, echoing remarks made by Jeanette Manfra Assistant Secretary of Cybersecurity at the Cybersecurity and Infrastructure Security Agency, who told FCW in February that the agency had no evidence indicating any federal domains had been hijacked.

However, he told the board that monitoring for DNS threats across the government across agencies prior to the order was "inconsistent" and congressional staffers briefed on the matter shortly after the partial government shutdown ended said DHS officials told them they could not be certain agency domains weren't compromised at some point in the past.

In an interview after the briefing, Duffy said CISA is "confident with what agencies have given us" from historical logs since January to make the assessment.

He also provided the board with additional details on the origins of the emergency directive, saying the department was initially contacted by an unnamed hosting provider in early January 2019 who claimed their domains were being maliciously redirected. CISA reached out to industry partners and other organizations, who reported back similar feedback.

By January 9, both Cisco Talos and FireEye had published research on a global DNS hijacking campaign affecting governments, telecoms and internet infrastructure entities on multiple continents, including North America. On Jan. 22, DHS issued its first-ever emergency directive, listing four action items for every civilian federal agency: audit internal DNS logs, change associated passwords, implement multi-factor authentication and begin regularly monitoring Certificate Transparency logs.

Duffy said there are only "a handful" of agencies left who have yet to complete all four requirements listed in the directive, most of whom are dealing with "external dependencies" on DNS providers and other partners that make it more difficult to implement multifactor authentication.

CISA is still looking for tools and services that would help them detect attempts to tamper with agency domains sooner. Their 2020 budget requests $4.4 million to procure a centralized DNS name resolution service.

Duffy told FCW that parameters for what DHS wants the service to provide are still being sketched out, but that it would focus on tracking agency traffic after it left federal networks. Doing so could provide the government with capabilities to detect malicious DNS tampering earlier than they would by monitoring Certificate Transparency and agency audit logs.

"It's really looking at the DNS egress side of things," Duffy said. "One of the things I mentioned [in the briefing] is that we didn't have the visibility that would have been beneficial to know what was happening, so this service would sit on top of traditional DNS and give us that level of visibility of the DNS traffic and where it's moving."