Email Security

    DNSpionage Demystified

    Espionage is the subject of more novels and Hollywood films than can even be accounted for.

    by Boris Vaynberg

    It seems intriguing on the written page or the silver screen to the average consumer, but when espionage starts to become a reality that affects the identity credentials of millions of people, it changes the perception considerably.

    IT turns out that reality is sometimes more interesting (and scary) than fiction. When it comes to a new variation on espionage, all you have to do is look at what happened in the Middle East recently with the introduction of DNSpionage.

    What is DNSpionage?

    Just when you thought you’ve heard of every new variation of cyberattacks, you are confronted with a new one.  Specifically, the latest treat dubbed DNSpionage has entered the landscape and already paying off for cyber criminals.

    A KrebsOnSecurity article titled “A Deep Dive on the Recent Widespread DNS Hijacking Attacks” explains what DNSpionage is:

    “The DNS part of that moniker refers to the global “Domain Name System,” which serves as a kind of phone book for the Internet by translating human-friendly Web site names ( into numeric Internet address that are easier for computers to manage.”

    So, by hijacking a DNS Server, malicious code can then steal emails and other login credentials by redirecting traffic to an internet address controlled by the cyber criminals.

    DNSpionage In Action

    Unfortunately, DNSpionage is not just an academic or intellectual discussion of what potentially could happen. It was identified in late 2018 and still a force to be reckoned with. A Dark Reading article titled “New Hacker Group Behind 'DNSpionage' Attacks in Middle East” describes how this malware is distributed and what it does based on the recent Middle East attacks:

    “DNSpionage malware is being distributed via Microsoft Office documents hosted on two malicious websites designed to look like the jobs listing pages of two legitimate companies—Wipro and Suncor Energy. The hosted document is a copy of a legitimate file on Suncor's site

    The malicious documents contain macros which when run drop DNSpionage on the target system. The malware is a Remote Access Trojan that supports HTTP and DNS communication with the attackers and gets executed when the Microsoft Office document is closed. It appears designed to extract data from the compromised system and send it to the command and control system.”

    We’ve written recent on how hackers are targeting entire countries, and this is another example of how to perpetrate harm on a very large scale.

    Don’t Be a Victim

    In order to protect your organization, you will need a cybersecurity strategy that takes into account identifying and eliminating executable code hidden in what should be innocuous content.  

    Choosing only solutions that evaluate every line of code, making well documented evasion techniques ineffective, while being agnostic to file type, client-side application type, or the client operating system used within the organization is the superior technology selection criteria.

    Selected solutions should provide protection regardless of operating system, CPU architecture and function (client, server) of the targeted machine.

    Subscribe to Cyber Resilience Insights for more articles like these

    Get all the latest news and cybersecurity industry analysis delivered right to your inbox

    Sign up successful

    Thank you for signing up to receive updates from our blog

    We will be in touch!

    Haut de la page