Report: Iran Is Likely Setting Stage for International Phishing Campaign

Iranian President Hassan Rouhani

Iranian President Hassan Rouhani Iranian Presidency Office/AP

Featured eBooks

Digital First
What’s Next for Federal Customer Experience
Cloud Smarter

Hackers have been methodically gaining access to domain name services that allow malware-laden emails to look like they come from legitimate organizations.

Phishing attacks only work when the target takes the bait. The email containing the link or attachment that will compromise the target’s computer has to look legitimate, from a recognizable domain. A new report says that someone — likely Iran — has been hijacking domains related to entities across the Middle East and North America, which could allow Iran to launch more, and more successful, cyber attacks.

Issued Thursday by cybersecurity company FireEye, the report says actors are using various techniques to hijack Domain Name System, or DNS, functions, allowing them to make phony emails appear legitimate.

“The entities targeted by this group include Middle Eastern governments whose confidential information would be of interest to the Iranian government and have relatively little financial value” the researchers write. “A large number of organizations have been affected by this pattern of DNS record manipulation…They include telecoms and [Internet service providers], internet infrastructure providers, government and sensitive commercial entities.”

Citing “preliminary technical evidence,” the report concludes “with moderate confidence,” that people in Iran are behind the DNShacks — which likely means the government, since the activity “aligns with Iranian government interests.”

The researchers, who have been tracking  bursts of DNS-hacking activity since January 2017, say the attackers either use stolen passwords to log into a target domain’s administrative panel or exploit various known bugs to access various domain name registrars (such as GoDaddy) that manage domains for customers. Having gained access, they change the domain name record to redirect the traffic.

The cybersecurity community doesn’t consider Iranian hackers to be as sophisticated or effective as Russia and certainly not China. But Iranian attacks have been effective against targets that don’t use best cybersecurity practices, such as two-factor authentication. Researcher Collin Anderson, in a 2018 Carnegie Report on Iranian hacking activity, wrote, “Just as Russia’s compromise of Democratic Party institutions during the 2016 U.S.presidential election demonstrated that information warfare can be conducted through basic tactics, Iran’s simple means have exacted sometimes enormous political and financial costs on unsuspecting adversaries…The same Iranian actors responsible for espionage against the private sector also conduct surveillance of human rights defenders. These attacks on Iranian civil society often foreshadow the tactics and tools that will be employed against other targets and better describe the risks posed by Iranian cyber warfare.”

And a phishing attack only needs to fool one person to penetrate an entire organization. The Russian intelligence units that attacked the DNC in 2016 — and before that, the State Department, White House, and the Department of Defense —  used malware that could hop from node to node within a large network, allowing the theft of massive amounts of data.