Cybersecurity

Security firm says worldwide cyber campaign targeting dozens of domains linked to Iran

A hacking campaign linked to Iran appears to be targeting dozens of domains across the globe by way of domain name system (DNS) hijacking, a security firm said Thursday.

The cyber firm FireEye said the campaign has spread across the Middle East and North Africa, Europe and North America, affecting domains associated with governments as well as telecommunications and internet infrastructure entities.

“Preliminary technical evidence allows us to assess with moderate confidence that this activity is conducted by persons based in Iran and that the activity aligns with Iranian government interests,” the company said in a blog post.

“While we do not currently link this activity to any tracked group, initial research suggests the actor or actors responsible have a nexus to Iran,” it added. 

{mosads}FireEye said it based the determination on Iranian IP addresses that were “previously observed during the response to an intrusion attributed to Iranian cyber espionage actors” as well as the victims impacted by the campaign.

“The entities targeted by this group include Middle Eastern governments whose confidential information would be of interest to the Iranian government and have relatively little financial value,” it said.

However, the company did note it may not be a single threat actor carrying out these DNS hijackings, in which the resolution of domain name system queries are subverted.

“This campaign has targeted victims across the globe on an almost unprecedented scale, with a high degree of success,” it added.

The firm’s research team says the hacking tactics observed in this case differ from other Iranian activity.

“It is differentiated from other Iranian activity we have seen by leveraging DNS hijacking at scale. The attacker uses this technique for their initial foothold, which can then be exploited in a variety of ways,” the blog post reads.

Iran’s cyber activity gained increased scrutiny ahead of the 2018 midterm elections, after Facebook announced that it shuttered hundreds of pages tied to foreign governments. Many of the pages — as well as accounts shut down on Twitter and Google — linked to the government of Iran, Facebook said.

FireEye first flagged the suspicious accounts to Facebook, and determined that certain accounts that had been sharing links to stories from a news site were fake. 

Some experts and lawmakers said at the time that Iran may have been motivated to interfere with political campaigns in the U.S. following President Trump’s decision to pull out of the Obama-era nuclear deal with Tehran and the planned reimposition of sanctions.