An American cybersecurity firm, FireEye claimed that the Iran-based hacking syndicate is likely behind a sophisticated "unprecedented" cyber-attack campaign that targets victims across the Middle East and North Africa, as well as Europe and North America.
The researchers at the California based cybersecurity company have identified a wave of Domain Name System (DNS) hijacking that has affected several domains such as government, telecommunication as well as internet infrastructure entities.
In a blog post, FireEye, the company, which provides hardware, software and services to investigate cyber breach, protect against malicious software and analyse IT security risks said, "While we do not currently link this activity to any tracked group, initial research suggests the actor or actors responsible have a nexus to Iran."
"Preliminary technical evidence allows us to assess with moderate confidence that this activity is conducted by persons based in Iran and that the activity aligns with Iranian government interests," the company researchers also added.
FireEye teams tracked the activities of the hackers for several months by observing the techniques and procedures (TTPs), mapping and understanding the innovative tactics. They also worked closely with cyber attack victims, security organisations and law enforcement agencies, where they have found a possibility of minimizing the impact of such breach and to protect them from further compromises.
The researchers also explained that "while this campaign employs some traditional tactics, it is differentiated from other Iranian activity we have seen by leveraging DNS hijacking at scale. The attacker uses this technique for their initial foothold, which can then be exploited in a variety of ways."
As per the FireEye a large number of organisations, including "telecoms and ISP providers, internet infrastructure providers, government and sensitive commercial entities" have been affected by this pattern of DNS record manipulation and fraudulent Secure Sockets Layer (SSL) certificates and such kind of cyber attack is difficult to combat, because through the process valuable information can be stolen.
The researchers suggested that "Implement multi-factor authentication on your domain's administration portal, search for SSL certificates related to your domain and revoke any malicious certificates, conduct an internal investigation to assess if attackers gained access to your environment."
In April 2018, four Singapore universities were attacked by alleged Iranian hackers, who stole more than 31 terabytes of academic data and intellectual property from other institutions across the world.
As soon as the authorities came to know about the breach they informed Singapore's Cyber Security Agency (CSA) and Ministry of Education (MOE) about the alleged attack on 52 staff accounts. It was also reported that the hacking group includes nine individuals, who had been charged in US for their bid to hack 144 US and 176 other universities across 21 countries, including Singapore-based institutions.
The US Department of Justice said that these hackers are doing these crimes "under the instructions of the Iranian government", which Teheran has denied.