What Are DNS Hijacking Attacks and How to Stop Them?
More often than not, people associate DNS hijacking attacks with highly sophisticated, state-sponsored hackers who break their way into the systems of organizations with a national-security level of importance. It's not something you'd connect to a hoodie-wearing teenager hacking away from the comfort of his mother's basement. But is it really that hard to pull off? To answer this question, we need to figure out how a DNS hijacking attack works, but before we can do that, we must first learn what DNS is.
What is DNS?
DNS stands for Domain Name System, and you won't be far off if you say that it's one of the things that make the internet go around. You can think of DNS as the operators in the telephone exchanges of the late 19th and early 20th centuries.
In basic terms, browsing a website means accessing a collection of files which are stored on a server, and if your browser is to read them, it needs to know their location. The Domain Name System has that information. Every time you want to visit a particular website, you enter its domain name into the address bar, your browser sends a request to the DNS, and the system responds by saying which of the millions of servers that are connected to the internet at any given time has the information you're looking for. You can probably see already how badly wrong things could turn if the DNS is compromised.
How do hackers break DNS?
If a domain name is to work, it needs to have its DNS settings properly configured. The DNS settings are, in essence, a collection of records that serve different purposes. The so-called "A record", for example, contains the IP address of the server on which the website's files are located, and the "MX record" stores information on the resources responsible for the email exchange on the domain.
Typically, only the domain's owner (also known as a registrant) has access to these settings through an administration panel that is served by the organization selling the domain (often, this is the so-called registrar).
Sometimes, however, cybercriminals manage to get access to the DNS settings, and when they do, they can modify all the records and perform a variety of malicious activities. They can, for example, change the A records and point the domain to a server that they control. This way, every person that tries to visit the targeted website ends up on the crooks' server where they could be served malware or unwanted ads. If criminals set up a convincing-looking phishing page on the malicious server, they can easily harvest login credentials, and chances are, users would be none the wiser because the URL they see in the address bar would be the correct one. These are just some of the opportunities DNS hijacking offers.
As we mentioned already, the diversity of possibilities makes DNS hijacking perfect for the so-called Advanced Persistent Threat (APT) groups who are after high-profile targets. But does this mean that pulling off a DNS hijacking attack is particularly hard?
Is DNS hijacking reserved for spies and state-sponsored hackers?
Cisco's Talos team recently reported on a DNS hijacking attack which they called Sea Turtle. The campaign started in early 2017 and continued through to the first quarter of this year. It's aimed at government, military, and industrial organizations in the Middle East and North Africa, and Cisco's researchers think that a highly motivated group of state-sponsored actors are responsible for it.
As the experts point out, the people behind Sea Turtle appear to be especially brazen, and some of the techniques they've used are quite clever. None of them are related to the actual DNS hijacking, though.
Cisco noted that the Sea Turtle hackers managed to gain access to the targeted domains' DNS settings by compromising either the domains' owners or the registrars. The initial points of entry were provided either by an exploit of known code injection or code execution vulnerabilities or through a spearphishing email. Armed with the right information, modifying the DNS settings was not that difficult.
In other words, a successful DNS hijacking attack isn't dependent on a high level of sophistication or solid financial backing. In much the same way, there's nothing too special you can do to protect your domain's DNS settings. Just patch your software regularly, use strong passwords, and make sure you don't click any random links in emails.