top of page
Mitre
Alias
Dnspionage, Cobalt Edgewater
Country
Iran
Sponsor
State-sponsored
Motivation
Information Theft And Espionage
First Seen
2019
Description
(Talos) Cisco Talos recently discovered a new campaign targeting Lebanon and the United Arab Emirates (UAE) affecting .gov domains, as well as a private Lebanese airline company. Based on our research, it�s clear that this adversary spent time understanding the victims� network infrastructure in order to remain under the radar and act as inconspicuous as possible during their attacks.
Based on this actor�s infrastructure and TTPs, we haven�t been able to connect them with any other campaign or actor that�s been observed recently. This particular campaign utilizes two fake, malicious websites containing job postings that are used to compromise targets via malicious Microsoft Office documents with embedded macros. The malware utilized by this actor, which we are calling �DNSpionage,� supports HTTP and DNS communication with the attackers.
Talos found a possible relationship between DNSpionage and {{OilRig, APT 34, Helix Kitten, Chrysene}}.
Targeted
Industries
Government, Internet Infrastructure, Law Enforcement, Telecommunications, Aviation
Targeted
Countries
Usa, Kuwait, Sweden, Iraq, Uae, Libya, North Africa, Cyprus, Lebanon, Egypt, Albania, Jordan
Tools
Dnspionage
Karkoff
TTP
Nil
Operations
Performed
[2019-04] dnspionage Brings Out The Karkoff (https://blog.talosintelligence.com/2019/04/dnspionage-brings-out-karkoff.html
Counter
Operations
Nil
Information
https://blog.talosintelligence.com/2018/11/dnspionage-campaign-targets-middle-east.html
https://www.fireeye.com/blog/threat-research/2019/01/global-dns-hijacking-campaign-dns-record-manipulation-at-scale.html
https://www.crowdstrike.com/blog/widespread-dns-hijacking-activity-targets-multiple-sectors/
https://krebsonsecurity.com/tag/dnspionage/
bottom of page