{
	"id": "27dbaee3-3094-4963-ab67-538dea0bd685",
	"created_at": "2026-04-06T00:11:22.571845Z",
	"updated_at": "2026-04-10T13:12:17.504606Z",
	"deleted_at": null,
	"sha1_hash": "a0f1360ac4b3e928f7d596a46baa81b4f67b4251",
	"title": "Widespread DNS Hijacking Activity Targets Multiple Sectors",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 60025,
	"plain_text": "Widespread DNS Hijacking Activity Targets Multiple Sectors\r\nBy mattdahl\r\nArchived: 2026-04-02 12:31:27 UTC\r\nCrowdStrike® Intelligence™ has been researching reports of widespread DNS hijacking activity since\r\ninformation on the attacks became publicly available earlier this month.1The information allowed for the\r\ndiscovery of at least a subset of domains affected by this campaign. CrowdStrike can confirm that numerous\r\norganizations in sectors such as government, insurance, and civilian aviation, as well as internet service providers\r\n(ISPs) and infrastructure providers, were affected going back as far as February 2017. The ultimate objective of\r\nthis activity is currently unclear. However, DNS hijacking attacks would allow the responsible actors to capture\r\nthe contents of web traffic to affected domains, during the time periods in which they were hijacked, and\r\npotentially use the captured data in follow-on operations. Given current information, CrowdStrike is unable to\r\nmake adversary or country-level attribution of this activity.\r\nMalicious Infrastructure and Identified Targets\r\nBased on available information, CrowdStrike's threat intelligence team has been able to identify 28 organizations\r\nin 12 different countries whose domains were hijacked. The organizations affected were primarily located in the\r\nMiddle East and North Africa (MENA) region, but there was also a limited number of affected entities in Europe\r\nand the United States.\r\nTIMELINE OF MALICIOUS INFRASTRUCTURE AND HIJACKED DOMAINS\r\nMalicious IP\r\nAddress\r\nActive Time Period Affected Organizations’ Country (Sector)\r\n142.54.179\u003c.\u003e69 February 2017 Jordan (Government)\r\n89.163.206\u003c.\u003e26 February 2017 Jordan (Government)\r\n185.15.247\u003c.\u003e140\r\nDecember 2017 and\r\nJanuary 2018\r\nKuwait (Government) Albania (Government)\r\n146.185.143\u003c.\u003e158 August 2018 UAE (Government)\r\n128.199.50\u003c.\u003e175 September 2018 UAE (Unidentified Sector)\r\n185.20.187\u003c.\u003e8 September 2018\r\nUAE (Law Enforcement) UAE (Government) Lebanon\r\n(Government) Lebanon (Civil Aviation)\r\n82.196.8\u003c.\u003e43 October 2018 Iraq (Government)\r\n188.166.119\u003c.\u003e57\r\nOctober 2018 and\r\nNovember 2018\r\nEgypt (Government) Libya (Government)\r\nhttps://www.crowdstrike.com/blog/widespread-dns-hijacking-activity-targets-multiple-sectors/\r\nPage 1 of 3\n\n206.221.184\u003c.\u003e133 November 2018 Egypt (Government)\r\n37.139.11\u003c.\u003e155 November 2018 UAE (Unidentified Sector)\r\n199.247.3\u003c.\u003e191 November 2018 Iraq (Government) Albania (Government)\r\n185.161.209\u003c.\u003e147 November 2018 Lebanon (Insurance)\r\n139.162.144\u003c.\u003e139 December 2018 Jordan (Government)\r\n37.139.11\u003c.\u003e155 December 2018 UAE (Unidentified Sector)\r\n178.62.218\u003c.\u003e244 December 2018 UAE (Government) Cyprus (Government)\r\n139.59.134\u003c.\u003e216 December 2018\r\nSweden (Internet Infrastructure) Saudi Arabia (Internet\r\nServices) Lebanon (Internet Services)\r\n82.196.11\u003c.\u003e127 December 2018\r\nSweden (Internet Infrastructure) U.S. (Internet\r\nInfrastructure)\r\n46.101.250\u003c.\u003e202\r\nDecember 2018 and\r\nJanuary 2019\r\nSaudi Arabia (Government)\r\nActor-owned Domains Used as Name Servers for Hijacked Infrastructure\r\ncloudipnameserver\u003c.\u003ecom cloudnamedns\u003c.\u003ecom lcjcomputing\u003c.\u003ecom mmfasi\u003c.\u003ecom interaland\u003c.\u003ecom\r\nOnce hijacked, targeted domains ceased resolving to their normal IP addresses and began resolving to actor-controlled infrastructure. The actors would also create certificates for the domains, primarily through Let’s\r\nEncrypt, a certificate authority that provides free X.509 certificates for TLS encryption. This would allow visitors\r\nto continue to establish trusted connections, despite the fact that they were pointing at malicious infrastructure.\r\nAvailable data shows that most affected domains were hijacked for very short periods of time, sometimes a day or\r\nless, with one domain showing resolutions to a malicious IP address for over a month.\r\nInternet Infrastructure Providers Affected\r\nParticularly notable are a small number of domains owned by significant ISPs or infrastructure providers. The\r\naffected ISP domains belonged to a private entity appearing to provide services to a wide range of customers in all\r\nsectors, while another affected entity provided services to government, research and academic organizations\r\nwithin its own country. Two other affected organizations operate core functions of the internet globally, such as\r\ninternet exchange points, root DNS servers and numerous top-level domains (TLDs). A compromise of internet\r\ninfrastructure operators such as these could support data collection against a wide range of organizations.\r\nAssessment\r\nWhile the precise objectives behind this DNS hijacking activity are unclear, this tactic could be used by malicious\r\nactors to support a number of missions:\r\nDirect collection of data from web traffic to affected domains\r\nhttps://www.crowdstrike.com/blog/widespread-dns-hijacking-activity-targets-multiple-sectors/\r\nPage 2 of 3\n\nCollection of credentials from captured traffic for use in obtaining access to networks of future targets\r\nDelivery of malware from actor-owned infrastructure\r\nThis activity was likely meant to support intelligence collection operations against the entities whose domains\r\nwere hijacked and possibly associated organizations likely to visit those sites. In addition, the activity targeting the\r\nISPs and infrastructure providers could potentially have supported information collection against a range of\r\ncurrently unidentified targets. Public reporting has indicated there are factors that point to a possible Iranian nexus\r\nfor this activity. While the CrowdStrike Intelligence team agrees that the heavy focus on affected Middle Eastern\r\ngovernments would support the traditional intelligence collection interests of Iran, there is currently not enough\r\ninformation to make any definitive assessment around country or adversary-level attribution at this time. Finally, it\r\nshould be noted that given current information, it is unclear if this hijacking activity is linked to one or multiple\r\nactors. Considering the extended period of time over which this activity took place and the variance in malicious\r\ninfrastructure, it is possible that multiple entities were involved in carrying out this DNS hijacking. 1. Information\r\non related activity was also published in November 2018in this blog: “DNSpionage Campaign Targets Middle\r\nEast.”\r\nAdditional Resources\r\nFor more information on how to incorporate intelligence on dangerous threat actors into your security\r\nstrategy, please visit the CrowdStrike Falcon® Intelligence Intelligence product page.\r\nRead Stories from the front lines of incident response and get insights that can help inform your security\r\nstrategy for 2019 in the CrowdStrike Services Cyber Intrusion Casebook 2018.\r\nDownload the CrowdStrike 2020 Global Threat Report.\r\nTest Falcon Prevent™ next-gen antivirus for yourself with a free 15-day trial.\r\nSource: https://www.crowdstrike.com/blog/widespread-dns-hijacking-activity-targets-multiple-sectors/\r\nhttps://www.crowdstrike.com/blog/widespread-dns-hijacking-activity-targets-multiple-sectors/\r\nPage 3 of 3",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia",
		"MISPGALAXY",
		"MITRE",
		"ETDA"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.crowdstrike.com/blog/widespread-dns-hijacking-activity-targets-multiple-sectors/"
	],
	"report_names": [
		"widespread-dns-hijacking-activity-targets-multiple-sectors"
	],
	"threat_actors": [
		{
			"id": "8d76e350-dfb5-4733-800d-876de41f690d",
			"created_at": "2023-01-06T13:46:38.841887Z",
			"updated_at": "2026-04-10T02:00:03.119083Z",
			"deleted_at": null,
			"main_name": "DNSpionage",
			"aliases": [
				"COBALT EDGEWATER"
			],
			"source_name": "MISPGALAXY:DNSpionage",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "4632103e-8035-4a83-9ecb-c1e12e21288c",
			"created_at": "2022-10-25T16:07:23.542255Z",
			"updated_at": "2026-04-10T02:00:04.64888Z",
			"deleted_at": null,
			"main_name": "DNSpionage",
			"aliases": [],
			"source_name": "ETDA:DNSpionage",
			"tools": [
				"Agent Drable",
				"AgentDrable",
				"CACTUSPIPE",
				"DNSpionage",
				"DropperBackdoor",
				"Karkoff",
				"MailDropper",
				"OILYFACE"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "67b2c161-5a04-4e3d-8ce7-cce457a4a17b",
			"created_at": "2025-08-07T02:03:24.722093Z",
			"updated_at": "2026-04-10T02:00:03.681914Z",
			"deleted_at": null,
			"main_name": "COBALT EDGEWATER",
			"aliases": [
				"APT34 ",
				"Cold River ",
				"DNSpionage "
			],
			"source_name": "Secureworks:COBALT EDGEWATER",
			"tools": [
				"AgentDrable",
				"DNSpionage",
				"Karkoff",
				"MailDropper",
				"SideTwist",
				"TWOTONE"
			],
			"source_id": "Secureworks",
			"reports": null
		}
	],
	"ts_created_at": 1775434282,
	"ts_updated_at": 1775826737,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/a0f1360ac4b3e928f7d596a46baa81b4f67b4251.pdf",
		"text": "https://archive.orkl.eu/a0f1360ac4b3e928f7d596a46baa81b4f67b4251.txt",
		"img": "https://archive.orkl.eu/a0f1360ac4b3e928f7d596a46baa81b4f67b4251.jpg"
	}
}