• by Ray Schultz , January 23, 2019

The Department of Homeland Security has identified a series of cyber attacks against government agency websites involving domain-name infrastructure tampering.

The DHS is tracking the incidents, and on Tuesday issued an emergency warning to agencies, advising them on how to fight the attacks.

Published reports say the hacks are originating in Iran. 

The incident comes as the DHS is unfunded because of the government shutdown.

On Tuesday, Senate Majority Leader Mitch McConnell (R-Ky.) blocked a bill passed by the House to temporarily reopen the DHS, the Hill reports.

The DHS explains the hacks as follows:

“The attacker begins by compromising user credentials, or obtaining them through alternate means, of an account that can make changes to DNS records.

“Next, the attacker alters DNS records, like Address (A), Mail Exchanger (MX), or Name Server (NS) records, replacing the legitimate address of a service with an address the attacker controls.”

The DHS says the above action enables hackers to “direct user traffic to their own infrastructure for manipulation or inspection before passing it on to the legitimate service, should they choose.”

By doing this, attackers can obtain valid encryption certification for an agency’s domain name. End users receive no error warnings, it adds.

The DHS directive instructs agencies to:

• Audit DNS records
• Change DNS account passwords
• Add multi-factor authentication to DNS accounts
• Monitor certificate transparency logs

The DHS adds that its Cybersecurity and Infrastructure Security Agency (CISA) will provide technical assistance to affected agencies.

In addition, the CISA will review submissions from agencies that are unable to implement multi-factor authentication to DNS accounts.