The attackers do not penetrate the networks of the attacked organizations, but change the DNS records of their mail servers.
FireEye specialists discovered an extremely sophisticated cybercrime campaign, in which the hacker group (supposedly from Iran) forwards the traffic of companies around the world through its servers, recording corporate credentials for further attacks.
The victims of cybercriminals were telecommunications companies, Internet service providers, government agencies and commercial organizations in the countries of the Middle East, North Africa, Europe and North America.
Although Iranians are suspected of FireEye, it is still too early to say with accuracy who is behind the attacks. According to the researchers, the attackers did not seek financial gain, but the targets being attacked are clearly interesting to the Iranian government. In addition, in one case, the victim’s networks were accessed from an Iranian IP address, already familiar to FireEye from previous attacks involving Iranian cyber spies.
According to the report of the experts, the attacks have continued at least since January 2017. Unlike most cyber spy groups, attackers do not use targeted phishing to collect the credentials of victims. Instead, they modify the company's DNS records of the company's IT resources in order to modify the traffic inside it and hack the part of it that interests them the most.
In total, the group uses three different techniques. The first is to change the DNS records of the mail server of the attacking organization. The second technique differs from the first one only in where exactly the DNS records are modified. If in the first case, the attackers change the DNS A records through the account of the managed DNS provider, in the second case - the NS NS records through the account of the domain name provider.
The third technique is in some cases used as an additional step for the first two. The method involves the deployment of an “attacker operation window” that responds to DNS queries for hacked DNS records. If a DNS request addressed to the company's mail server was sent from a source within the corporate network, users were redirected to the attacker-controlled server. The requests sent by the source outside the corporate network were sent immediately to the real mail server of the company.
All three techniques are based on the ability of attackers to modify DNS records, and only a few people in a company can do this. According to the researchers, it is very difficult to defend against such attacks, since in most cases attackers do not penetrate the internal networks of the attacked organizations, and security solutions do not work.
https://www.securitylab.ru/news/497386.php