top of page

DNSpionage

Mitre

Alias

Dnspionage, Cobalt Edgewater

Country

Iran

Sponsor

State-sponsored

Motivation

Information Theft And Espionage

First Seen

2019

Description

(Talos) Cisco Talos recently discovered a new campaign targeting Lebanon and the United Arab Emirates (UAE) affecting .gov domains, as well as a private Lebanese airline company. Based on our research, it�s clear that this adversary spent time understanding the victims� network infrastructure in order to remain under the radar and act as inconspicuous as possible during their attacks.

Based on this actor�s infrastructure and TTPs, we haven�t been able to connect them with any other campaign or actor that�s been observed recently. This particular campaign utilizes two fake, malicious websites containing job postings that are used to compromise targets via malicious Microsoft Office documents with embedded macros. The malware utilized by this actor, which we are calling �DNSpionage,� supports HTTP and DNS communication with the attackers.

Talos found a possible relationship between DNSpionage and {{OilRig, APT 34, Helix Kitten, Chrysene}}.

Targeted
Industries

Government, Internet Infrastructure, Law Enforcement, Telecommunications, Aviation

Targeted
Countries

Usa, Kuwait, Sweden, Iraq, Uae, Libya, North Africa, Cyprus, Lebanon, Egypt, Albania, Jordan

Tools

Dnspionage
Karkoff

TTP

Nil

Operations
Performed

Counter
Operations

Nil

Information

bottom of page