The Washington PostDemocracy Dies in Darkness

DHS issues emergency order to civilian agencies to squelch cyber-hijacking campaign that private analysts say could be linked to Iran

Secretary of Homeland Security Kirstjen Nielsen’s department on Tuesday directed all non-national-security agencies to take steps to protect their networks against a cyber-hijacking campaign believed to be linked to Iran. (Jonathan Ernst/Reuters)

The Department of Homeland Security on Tuesday issued an emergency directive to all non-national-security agencies requiring them to take steps to protect their networks against a cyber-hijacking campaign that private-sector researchers suggest may be linked to Iran.

According to a directive issued by Christopher Krebs, head of the DHS Cybersecurity and Infrastructure Security Agency, attackers have affected “multiple executive branch” agencies by redirecting and intercepting Web and email traffic.

No intelligence, Defense Department or classified networks were affected, U.S. officials said.

However, according to one U.S. official, only one civilian agency so far has been verified to have had its email traffic redirected. But it is not clear how much traffic was affected and how many other agencies have also seen their data hijacked.

“There is still a whole lot of data that needs to be crunched to determine impact,” said one senior official, who spoke on the condition of anonymity because of the matter’s sensitivity.

“The issue is that this is potentially bad,” the official said.

DHS is one of a number of agencies affected by the partial government shutdown. Though key operational cybersecurity personnel are working without pay, most support staff have been furloughed, making administrative tasks more difficult to manage, officials said.

The hijacking campaign targets a basic but little-known part of the Internet known as the “Domain Name System” (DNS), which translates Web or domain names into IP addresses. To execute it, the attacker covertly changes a destination IP address so that log-in data entered by a user passes through a server controlled by the hacker before being forwarded to the legitimate destination.

Krebs ordered agencies to take several steps within the next 10 days, including auditing their DNS records to see whether they resolve to the intended location or IP address and strengthening password security for all users who are able to make changes to DNS records.

“Overall, this [DNS hijacking] cannot be allowed to continue,” the official said.

The campaign was first spotted last fall by private-sector firms such as Cisco and FireEye, which detected malicious DNS activity in the Middle East.

Cisco’s Talos Intelligence Group saw a campaign targeting Lebanon and the United Arab Emirates affecting government websites and a private Lebanese airline company. FireEye’s Mandiant intelligence team identified a wave of DNS hijacking targeting dozens of domains belonging to government, telecommunications and Internet infrastructure entities across the Middle East, North Africa, Europe and North America.

“While we do not currently link this activity to any tracked group, initial research suggests the actor or actors responsible have a nexus to Iran,” FireEye said in a blog post this month.

The attackers have targeted ministries of foreign affairs, energy ministries, and police and military organizations in the Middle East, the firm said.

The firm has tracked related episodes of DNS hijacking dating to January 2017 in the Middle East.

The campaign’s goal appears to be traditional espionage — to siphon potentially all the emails or user traffic and credentials of a targeted agency, said Ben Read, a FireEye senior manager. If Iran is behind the campaign, he said, it “would want to know what the foreign ministries in the Gulf are deciding.”

The campaign is notable for its breadth, he said.

“I don’t think we’ve seen such an operation at this scale,” he said. “We found at least 50 different organizations affected across at least 12 countries — and that’s just what we’ve found so far.”

It’s also notable because it seizes information when it is transiting outside a user’s network, he said. “No anti-virus is going to flag on this. Your firewalls aren’t going to block this,” he said.

FireEye documented efforts by operators using Iranian IP addresses to operate machines used to intercept, record and forward network traffic. These IP addresses were previously linked to an intrusion attributed to hackers working on behalf of the Iranian government, the firm said.

In December, the firm detected activity in the United States targeting telecom companies that operate the Internet backbone.