The U.S. Department of Homeland Security (DHS) Cybersecurity and Infrastructure Security Agency (CISA) issued an emergency directive on January 22 to address ongoing incidents associated with global Domain Name System (DNS) infrastructure tampering.
CISA is aware of multiple executive branch agency domains that were impacted by the tampering campaign and has notified the agencies that maintain them.
On January 9, FireEye blogged that its Mandiant Incident Response and Intelligence teams had identified a wave of DNS hijacking that affected dozens of domains belonging to government, telecommunications and internet infrastructure entities across the Middle East and North Africa, Europe and North America.
FireEye’s blog post states: “While we do not currently link this activity to any tracked group, initial research suggests the actor or actors responsible have a nexus to Iran.”
The CISA directive requires Federal agencies to take specific steps and comply with reporting procedures to mitigate risks from undiscovered tampering, prevent illegitimate DNS activity, and detect unauthorized certificates – by February 5. Agencies must audit DNS records, change DNS account passwords, add multi-factor authentication to DNS accounts, and monitor certificate transparency logs. Before this, CISA requires an initial status report from agencies by the end of January 25. Given the partial shutdown, CISA will work with department chief information officers at agencies that don’t meet the deadline.