Multiple federal agencies hit by wave of possible Iran-linked cyberattacks

By Tyler Sonnemaker
Medill Reports

The Department of Homeland Security last week instructed all federal civilian agencies to take immediate actions to address “significant and imminent risks to agency information and information systems” resulting from an ongoing wave of cyberattacks.

In an emergency directive issued Jan. 22, DHS’ Cybersecurity and Infrastructure Security Agency said it is aware of “multiple executive branch agency domains” impacted by the campaign and has notified the agencies that maintain them.

FireEye, a cybersecurity firm based in California, indicated it had identified attacks that affected at least 50 government, telecommunications and internet infrastructure entities globally on an “almost unprecedented scale,” according to a company blog post published Jan. 9.

FireEye’s initial analysis of the attackers’ techniques and targets suggests a likely connection to Iran, according to the blog post.

A CISA spokesperson said that the agency has not yet made its own determination with regards to the source of the attacks.

FireEye senior manager Ben Read said that the firm had been monitoring the activity and “wanted more details before going public, but the impact was so widespread that we felt the need to do so.”

FireEye’s research reported in the blog and the CISA directive said that the attackers exploited a fundamental but insecure part of the internet called the Domain Name System, which functions much like a phone book. When a user types in a website address (e.g. https://www.dhs.gov), their browser contacts a DNS server, which looks up that address in the site’s DNS records and translates it into a numerical IP address that the browser then navigates to.

The hackers — using stolen login credentials — were able to access and change the DNS records for target sites, allowing them to intercept data as it traveled between users and agency sites and route it through IP addresses they controlled, where they could manipulate or monitor the data before passing it along to the intended destination.

With access to the DNS records, the attackers also obtained legitimate encryption certificates for the sites, enabling them to decrypt the stolen data and making it difficult for users to detect any malicious activity.

To minimize further exposure, the CISA directive requires agencies to audit their DNS records, change passwords and add multi-factor authentication for accounts with access to DNS records, and begin monitoring new CISA-issued encryption certificates.

The directive states that agencies have until Feb. 5 to complete these actions, which could prove challenging as employees return to a backlog of work following the partial government shutdown.

According to Lee Neubecker, president and CEO of Chicago-based cybersecurity firm Great Lakes Forensics, this type of tampering would have been substantially more difficult had the sites configured a security measure called DNS security, or DNSSEC.

“There needs to be more accountability for agencies that don’t have DNS[SEC] enabled,” Neubecker said, noting that he has attempted in the past to notify agencies about improperly secured domains, but hasn’t always received responses.

CISA has not disclosed which agencies have been impacted or what information might be compromised, but stated in the directive that it is continuing to monitor the situation “in coordination with government and industry partners.”

Photo at top: Multiple federal agencies were impacted by a wave of
cyberattacks that hijacked traffic by manipulating  IP addresses. Image courtesy of SparkFun Electronics/FLICKR under CC-BY 2.0)