January 23, 2019
4 mins

Sensato-TIB: DNS Attack

DHS/CISA has been tracking attacks against DNS infrastructure. These attacks have increased in frequency over the past 48-hours specifically targeting critical infrastructure sectors.

Sensato-TIB: DNS Attack Against Critical Infrastructure Sectors

This is not meant as an conclusive briefing, but rather as a cautionary update related to these attacks.


Current State

Sensato has become aware of a series of attacks which are directed against DNS infrastructure. This Threat Intelligence Briefing (TIB) provides an overview of these attacks and possible countermeasures that you may wish to consider implementing.  

The motivation of this attack is still unknown, but early analysis indicates that these attacks are being conducted by Iranian actors (specifically government backed or associated). Although there have been on-going DNS attacks against critical infrastructure since 2010, this new series of attacks are occurring at a scale previously unseen. The exact means used by attackers to compromise the DNS infrastructure is currently unknown.

Once the attackers compromise DNS, they can redirect all DNS traffic to their servers and inspect/manipulate the captured traffic before it is forwarded to the victim’s systems. This attack also allows the attacker to examine encrypted data thereby bypassing common encryption methods without the victim becoming aware of the invalidation of the encryption.


This attack has gained momentum in the past weeks. Currently the attack is targeting critical infrastructure (specifically government agencies). CISA/DHS has issued an emergency directive advising government agencies to implement precautions to protect against this attack. Sensato believes these measures should be implemented by all those in or serving a critical infrastructure sector.


1. Audit DNS Records – Review your DNS records to assure that they resolve to their intended location. It is recommended that this practice occur on a weekly basis for the next 30-days and then re-evaluate current threat intelligence to determine a proper go-forward frequency of audits.

2. Change DNS Passwords – Assure all DNS servers and services are using strong passwords and that they are changed immediately. Going forward DNS passwords should be changed in accordance with your organization’s password change policy.

3. Enable Multi-Factor Authentication – Implement MFA for all DNS services and servers as soon as possible.

4. Report Suspicious DNS Behavior – If you encounter suspicious DNS behavior, please report it to CISA/DHS and Sensato.


How prevalent is the threat?

The scale of this attack has escalated in the past 48 hours and has successfully been executed against ISP, Telecommunications and Government agencies across North America, Africa and Middle East, as well as Europe.

What is the real risk?

All critical infrastructure sectors are at risk and could be targeted by this attack. There is also a risk that the TTP associated with this attack will become well known and employed widely.

What if you become a victim?

1. You may wish to consider activation of an air-gap protocol or block DNS based traffic.

2. Activate IR Team

3. Institute Forensic Analysis.

4. Notify FBI, DHS, FDA and Sensato immediately.  

What is the impact to humans and operations?

The ability for the attacker to manipulate data and operate outside the organization’s network is cause for concern. This attack can be executed silently for long periods of time without the defender having an awareness of the compromise.

Where can you get further details or assistance?  

The Sensato-CTOC can provide further details as they become available. Please contact your Sensato primary point of contact if you require any assistance or have questions. You can also reach out to Sensato at info@sensato.co.

Cybersecurity Awareness Month Recap - Resources and Tips
October was National Cybersecurity Awareness Month which is meant to put a spotlight and focus on cybersecurity education and taking action to protect yourself and your organization from a cyberattack. Here’s a roundup of some of the top things we shared in October.
Four New Phishing Tactics to Watch Out For
By now most healthcare organizations perform cybersecurity awareness training and their staff are on the lookout for phishing emails. Cyber attackers are getting more savvy, however and are coming up with new phishing techniques that are harder to spot. Below are some examples of these new tactics and how to spot them.
Real-time Review of Oklahoma State University Cybersecurity Breach
Healthcare organizations that are victims of a cyberattack are reported daily. Reviewing OCR findings to identify actions you can take to protect your organization from similar attacks is a good best practice. Here is a review of the OSU breach to use as an example.
No items found.