U.S. Government Warns of DNS Hijacking Risk

The DHS Cybersecurity and Infrastructure Security Agency gives U.S. government agencies 10 days to implement a series of actions to limit the risk of DNS hijacking attacks.


The U.S. government is warning of a potentially disastrous cyber-security attack targeting DNS infrastructure.

Domain Name System (DNS) is the technology that translates numerical Internet Protocol (IP) addresses into web domains, such as eWEEK.com. DNS servers direct traffic to the correct location for a given domain; the risk is that if DNS is tampered with, traffic can be misdirected, intercepted or blocked.

"In coordination with government and industry partners, the Department of Homeland Security (DHS) Cybersecurity and Infrastructure Security Agency (CISA) is tracking a series of incidents involving Domain Name System (DNS) infrastructure tampering," DHS CISA warned. "CISA is aware of multiple executive branch agency domains that were impacted by the tampering campaign and has notified the agencies that maintain them."

DHS has not publicly disclosed which agencies have been impacted by the DNS hijacking campaign. Several cyber-security firms including FireEye and Cisco Talos have been warning about the risks of a global DNS hijacking campaign. On Jan. 9, FireEye stated in a report that the campaign might have the backing of organizations in Iran.

The government isn't standing idly by while the attacks are happening. DHS CISA issued Emergency Directive 19-01 on Jan. 22, providing direction to U.S. government agencies on how to mitigate DNS infrastructure tampering. In a blog post on Jan. 24, Christopher Krebs, director of DHS CISA, explained the severity of the DHS hijacking campaign and why it triggered the emergency directive.

"This is the first Emergency Directive issued by the Cybersecurity and Infrastructure Security Agency (CISA) under authorities granted by Congress in the Cybersecurity Act of 2015, and we took this action after carefully considering the current and potential risk posed to Federal agencies," Krebs wrote. "Using techniques that aren’t especially innovative, we know they can intercept and manipulate legitimate traffic, make services unavailable or cause delay, harvest information like credentials or emails, or cause a range of other malicious activities."

How the Attack Works

According to the AA19-024A alert issued by US CERT on Jan. 24, the attackers behind the DNS hijacking campaign are using a basic attack method to get access to DNS infrastructure.

"The attacker begins by compromising user credentials, or obtaining them through alternate means, of an account that can make changes to DNS records," US CERT warned.

Once the attacker has access to the DNS server, changes to the records for where websites and email servers are resolved are being made. There are multiple things that organizations can do to mitigate the risks of DNS server attacks. US-CERT is suggesting that as a first step in mitigating DNS highjacking attacks that organizations update the passwords for all accounts that are authorized to change DNS records. Additionally, it is recommended that all accounts that have access to DNS records have multifactor authentication enabled. With multifactor authentication, a second password or token is needed to gain access to a service.

DHS CISA has directed government agencies to take a series of steps over a 10-day period beginning on Jan. 22 to protect DNS. The first action that DHS requires is that organizations audit their DNS records to look for any abnormalities. Like US-CERT, DHS CISA also recommends that agencies change passwords and implement multifactor authentication. 

Finally, agencies are being advised to monitor certificate transparency (CT) logs. CT logging is an effort to help limit the risk of mis-issuance of SSL/TLS certificates that was originally launched by Google. With CT logs, all newly issued SSL/TLS certificates are posted to a CT logging server, such that organizations can check to see if a certificate was issued without proper authorization.

"Agencies shall immediately begin monitoring CT log data for certificates issued that they did not request. If an agency confirms that a certificate was unauthorized, it must report the certificate to the issuing certificate authority and to CISA," DHS CISA stated.

DHS CISA has directed agencies to submit a status report on their compliance with implementing the actions required to help secure DNS by Jan. 25. Agencies are expected to submit a completion report on all the required actions by Feb. 5.

Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.

Sean Michael Kerner

Sean Michael Kerner

Sean Michael Kerner is an Internet consultant, strategist, and contributor to several leading IT business web sites.