{
	"id": "33b8d856-b4b2-4bc8-b410-9c16b928cf26",
	"created_at": "2026-04-06T00:06:55.911814Z",
	"updated_at": "2026-04-10T03:31:46.229919Z",
	"deleted_at": null,
	"sha1_hash": "90270207dfbccfbc3021fd7849807fdf1630d909",
	"title": "DNS Infrastructure Hijacking Campaign | CISA",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 49122,
	"plain_text": "DNS Infrastructure Hijacking Campaign | CISA\r\nPublished: 2019-02-13 · Archived: 2026-04-05 12:50:41 UTC\r\nSummary\r\nThe National Cybersecurity and Communications Integration Center (NCCIC), part of the Cybersecurity and\r\nInfrastructure Security Agency (CISA), is aware of a global Domain Name System (DNS) infrastructure hijacking\r\ncampaign. Using compromised credentials, an attacker can modify the location to which an organization’s domain\r\nname resources resolve. This enables the attacker to redirect user traffic to attacker-controlled infrastructure and\r\nobtain valid encryption certificates for an organization’s domain names, enabling man-in-the-middle attacks.\r\nSee the following links for downloadable copies of open-source indicators of compromise (IOCs) from the\r\nsources listed in the References section below:\r\nIOCs (.csv)\r\nIOCs (.stix)\r\nNote: these files were last updated February 13, 2019, to remove the following three non-malicious IP addresses:\r\n107.161.23.204\r\n192.161.187.200\r\n209.141.38.71\r\nTechnical Details\r\nUsing the following techniques, attackers have redirected and intercepted web and mail traffic, and could do so for\r\nother networked services.\r\n1. The attacker begins by compromising user credentials, or obtaining them through alternate means, of an\r\naccount that can make changes to DNS records.\r\n2. Next, the attacker alters DNS records, like Address (A), Mail Exchanger (MX), or Name Server (NS)\r\nrecords, replacing the legitimate address of a service with an address the attacker controls. This enables\r\nthem to direct user traffic to their own infrastructure for manipulation or inspection before passing it on to\r\nthe legitimate service, should they choose. This creates a risk that persists beyond the period of traffic\r\nredirection.\r\n3. Because the attacker can set DNS record values, they can also obtain valid encryption certificates for an\r\norganization’s domain names. This allows the redirected traffic to be decrypted, exposing any user-submitted data. Since the certificate is valid for the domain, end users receive no error warnings.\r\nMitigations\r\nNCCIC recommends the following best practices to help safeguard networks against this threat:\r\nhttps://www.us-cert.gov/ncas/alerts/AA19-024A\r\nPage 1 of 2\n\nUpdate the passwords for all accounts that can change organizations’ DNS records.\r\nImplement multifactor authentication on domain registrar accounts, or on other systems used to modify\r\nDNS records.\r\nAudit public DNS records to verify they are resolving to the intended location.\r\nSearch for encryption certificates related to domains and revoke any fraudulently requested certificates.\r\nReferences\r\nCisco Talos blog: DNSpionage Campaign Targets Middle East\r\nCERT-OPMD blog: [DNSPIONAGE] – Focus on internal actions\r\nGlobal DNS Hijacking Campaign: DNS Record Manipulation at Scale | Mandiant | Google Cloud Blog\r\nCrowdstrike blog: Widespread DNS Hijacking Activity Targets Multiple Sectors\r\nRevisions\r\nJanuary 24, 2019: Initial version\r\nFebruary 6, 2019: Updated IOCs, added Crowdstrike blog\r\nFebruary 13, 2019: Updated IOCs\r\nSource: https://www.us-cert.gov/ncas/alerts/AA19-024A\r\nhttps://www.us-cert.gov/ncas/alerts/AA19-024A\r\nPage 2 of 2",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia",
		"ETDA"
	],
	"references": [
		"https://www.us-cert.gov/ncas/alerts/AA19-024A"
	],
	"report_names": [
		"AA19-024A"
	],
	"threat_actors": [
		{
			"id": "8d76e350-dfb5-4733-800d-876de41f690d",
			"created_at": "2023-01-06T13:46:38.841887Z",
			"updated_at": "2026-04-10T02:00:03.119083Z",
			"deleted_at": null,
			"main_name": "DNSpionage",
			"aliases": [
				"COBALT EDGEWATER"
			],
			"source_name": "MISPGALAXY:DNSpionage",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "4632103e-8035-4a83-9ecb-c1e12e21288c",
			"created_at": "2022-10-25T16:07:23.542255Z",
			"updated_at": "2026-04-10T02:00:04.64888Z",
			"deleted_at": null,
			"main_name": "DNSpionage",
			"aliases": [],
			"source_name": "ETDA:DNSpionage",
			"tools": [
				"Agent Drable",
				"AgentDrable",
				"CACTUSPIPE",
				"DNSpionage",
				"DropperBackdoor",
				"Karkoff",
				"MailDropper",
				"OILYFACE"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "67b2c161-5a04-4e3d-8ce7-cce457a4a17b",
			"created_at": "2025-08-07T02:03:24.722093Z",
			"updated_at": "2026-04-10T02:00:03.681914Z",
			"deleted_at": null,
			"main_name": "COBALT EDGEWATER",
			"aliases": [
				"APT34 ",
				"Cold River ",
				"DNSpionage "
			],
			"source_name": "Secureworks:COBALT EDGEWATER",
			"tools": [
				"AgentDrable",
				"DNSpionage",
				"Karkoff",
				"MailDropper",
				"SideTwist",
				"TWOTONE"
			],
			"source_id": "Secureworks",
			"reports": null
		}
	],
	"ts_created_at": 1775434015,
	"ts_updated_at": 1775791906,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/90270207dfbccfbc3021fd7849807fdf1630d909.pdf",
		"text": "https://archive.orkl.eu/90270207dfbccfbc3021fd7849807fdf1630d909.txt",
		"img": "https://archive.orkl.eu/90270207dfbccfbc3021fd7849807fdf1630d909.jpg"
	}
}