View all newsletters
Receive our newsletter - data, insights and analysis delivered to you
  1. Technology
  2. Cybersecurity
January 24, 2019

US Issues Emergency Directive over DNS Hijacking Amid Shutdown

The Department of Homeland Security has demanded an audit due within 10 days

By CBR Staff Writer

The US’s recently established Cybersecurity and Infrastructure Security Agency has issued an emergency directive requiring “immediate action to protect Federal information systems from ongoing DNS hijacking and tampering activities.”

The announcement by Director Chris Krebs comes after the agency – set up last year to lead national efforts to defend critical infrastructure – was alerted to ongoing DNS hijacking and tampering activities by US cybersecurity company FireEye.

It follows a Department of Homeland Security alert based on a FireEye report that detailed a coordinated DNS hijacking campaign, during which a group believed to operate out of Iran had manipulated DNS records for gov’t agencies.

The DHS has demanded four actions.

Content from our partners
Scan and deliver
GenAI cybersecurity: "A super-human analyst, with a brain the size of a planet."
Cloud, AI, and cyber security – highlights from DTX Manchester

1: Audit DNS Records: “Within 10 business days, for all .gov or other agency-managed domains, audit public DNS records on all authoritative and secondary DNS servers to verify they resolve to the intended location. If any do not, report them to CISA.”

3: Change DNS Account Passwords: “Within 10 business days, update the passwords for all accounts on systems that can make changes to your agency’s DNS records.”

3: Add Multi-Factor Authentication to DNS Accounts: Within 10 business days, implement multi-factor authentication (MFA) for all accounts on systems that can make changes to your agency’s DNS records.

4: Monitor Certificate Transparency Logs: “Within 10 business days, CISA will begin regular delivery of newly added certificates to Certificate Transparency (CT) logs for agency domains, via the Cyber Hygiene service.

Fixing DNS Hijacking: Not Easy During a Government Shutdown… 

Furloughed staff are understood to be being called in, but they may not be paid owing to the government shutdown. Krebs said: “Though we recognize that some agencies may have challenges implementing the directive during the ongoing partial government shutdown, we believe these actions are necessary, urgent, and implementable as most agencies are adequately staffed to take the necessary actions.”

He added: “The American public should never have to question the security of their interactions with the federal government, whether their sensitive data is at risk, or that the information they rely on from the Government may have been tampered with.”

FireEye said of the attacks: “This type of attack is difficult to defend against, because valuable information can be stolen, even if an attacker is never able to get direct access to your organization’s network. Some steps to harden your organization include: Implement multi-factor authentication on your domain’s administration portal; validate A and NS record changes; search for SSL certificates related to your domain and revoke any malicious certificates; validate the source IPs in OWA/Exchange logs; conduct an internal investigation to assess if attackers gained access to your environment.”


Websites in our network
Select and enter your corporate email address Tech Monitor's research, insight and analysis examines the frontiers of digital transformation to help tech leaders navigate the future. Our Changelog newsletter delivers our best work to your inbox every week.
  • CIO
  • CTO
  • CISO
  • CSO
  • CFO
  • CDO
  • CEO
  • Architect Founder
  • MD
  • Director
  • Manager
  • Other
Visit our privacy policy for more information about our services, how Progressive Media Investments may use, process and share your personal data, including information on your rights in respect of your personal data and how you can unsubscribe from future marketing communications. Our services are intended for corporate subscribers and you warrant that the email address submitted is your corporate email address.