The Department of Homeland Security has issued a rare “emergency” directive ordering federal civilian agencies to secure the login credentials for their internet domain records.
DHS issued the order Tuesday afternoon out of concern that federal agencies could be vulnerable to cyberattacks intended to gain access to the platforms used to manage domain name system (DNS) records. The DNS system, dubbed the “phone book of the internet,” translates a domain name to a valid IP address, sending a user to the website they are trying to access.
Once compromised, a DNS server or registrar account can be used to redirect users to a malware-laden website. There are at least six civilian agency domains that have been affected by the recent malicious DNS activity, according to people familiar with the matter.
The emergency directive, which carries more urgency than DHS’s more-common Binding Operational Directives, requires agencies to add multi-factor authentication to their DNS accounts, change account passwords, audit their DNS records, and monitor certificate logs, according to the order. Agencies have 10 business days to implement those instructions.
Agencies can manage their DNS records in-house, outsource the work to a commercial provider, or have a mix of both. The directive makes clear that agencies will ultimately be held accountable for their domain-name security policies, regardless of where they maintain their DNS accounts.
The partial government shutdown, which has entered its second month, could complicate agencies’ ability to implement the order. With 800,000 federal workers furloughed or working without pay, many civilian agencies are short-staffed.
The DHS order follows research published earlier this month by cybersecurity company FireEye, showing how hackers were manipulating DNS records to divert a target’s traffic through malicious servers. The campaign was aimed at organizations in the Middle East, North Africa, Europe, and North America, including government and commercial organizations. FireEye researchers asserted with “moderate confidence” that people based in Iran carried out that DNS hijacking, and that the “activity aligns with Iranian government interests.”
The attackers were able to hijack a target’s traffic using compromised login credentials for administering DNS accounts, researchers said. For that reason, DHS is clamping down on agencies that do not use multi-factor authentication to manage such accounts.
The DNS hijacking has come in waves over the last two years, FireEye said, and could be the work of more than one “threat actor,” or entity responsible for the hacking.
Last November, Cisco’s threat intelligence unit, Talos, released research documenting malicious DNS activity targeting government websites in Lebanon and the United Arab Emirates.
One tool at agencies’ disposal to parry the malicious DNS traffic is an intrusion-detection and prevention program known as Einstein. The most recent iteration of the multibillion-dollar program can “sinkhole” such web traffic by redirecting it to a safe host.
CyberScoop first reported the directive’s existence Tuesday afternoon, shortly before the agency publicly released it.
CyberScoop has requested comment from a DHS spokesperson.
The emergency DHS order complements a Jan. 10 public alert the department issued on the malicious DNS activity. The department advised network administrators to double-check encryption certificates from domains.
Now, DHS is turning part of that public advice into an internal mandate for civilian agencies. It’s time to walk the walk, lest agencies fall victim to the DNS-hijacking threat.