[dns-operations] FireEye reports long-running DNS hijacking campaign

Paul Hoffman phoffman at proper.com
Sat Jan 12 17:36:47 UTC 2019

On 12 Jan 2019, at 9:05, Barry Raveendran Greene wrote:

> The press cycle is disturbing. The quick summary, threat-actors are 
> breaking into the registrar and (it appears) the primary servers. They 
> then set up long term MITM interceptions through proxies.
> It is not really a “hijack.”

 From the description in the FireEye article, it is indeed a hijack, but 
only for a short term. They revert to the regular A or NS records as 
soon as they have intercepted what they want, likely to reduce the 
chance of exposure. (The article admits that it is not a complete 
description of the attack.)

--Paul Hoffman

More information about the dns-operations mailing list