DHS issues emergency order to prevent agency DNS hijacking

The order out of concern that federal agencies could be vulnerable to cyberattacks intended to gain access to the platforms used to manage domain name system (DNS) records.
(DHS photo by Jetta Disco / Flickr)

This story first appeared on CyberScoop

The Department of Homeland Security has issued a rare “emergency” directive ordering federal civilian agencies to secure the login credentials for their internet domain records.

DHS issued the order Tuesday afternoon out of concern that federal agencies could be vulnerable to cyberattacks intended to gain access to the platforms used to manage domain name system (DNS) records. The DNS system, dubbed the “phone book of the internet,” translates a domain name to a valid IP address, sending a user to the website they are trying to access.

Once compromised, a DNS server or registrar account can be used to redirect users to a malware-laden website. There are at least six civilian agency domains that have been affected by the recent malicious DNS activity, according to people familiar with the matter.


The emergency directive, which carries more urgency than DHS’s more-common Binding Operational Directives, requires agencies to add multi-factor authentication to their DNS accounts, change account passwords, audit their DNS records, and monitor certificate logs, said the people familiar with the order.

Agencies have 10 business days to implement those instructions, the sources said.

Agencies can manage their DNS records in-house, outsource the work to a commercial provider, or have a mix of both. The directive makes clear that agencies will ultimately be held accountable for their domain-name security policies, regardless of where they maintain their DNS accounts.

The partial government shutdown, which has entered its second month, could complicate agencies’ ability to implement the order. With 800,000 federal workers furloughed or working without pay, many civilian agencies are short-staffed.

The DHS order follows research published earlier this month by cybersecurity company FireEye, showing how hackers were manipulating DNS records to divert a target’s traffic through malicious servers. The campaign was aimed at organizations in the Middle East, North Africa, Europe, and North America, including government and commercial organizations.  FireEye researchers asserted with “moderate confidence” that people based in Iran carried out that DNS hijacking, and that the “activity aligns with Iranian government interests.”


The attackers were able to hijack a target’s traffic using compromised login credentials for administering DNS accounts, researchers said. For that reason, DHS is clamping down on agencies that do not use multi-factor authentication to manage such accounts.

The DNS hijacking has come in waves over the last two years, FireEye said, and could be the work of more than one “threat actor,” or entity responsible for the hacking.

One tool at agencies’ disposal to parry the malicious DNS traffic is an intrusion-detection and prevention program known as Einstein. The most recent iteration of the multibillion-dollar program can “sinkhole” such web traffic by redirecting it to a safe host.

CyberScoop first reported the directive’s existence Tuesday afternoon, shortly before the agency publicly released it.

CyberScoop has requested comment from a DHS spokesperson.


The emergency DHS order complements a Jan. 10 public alert the department issued on the malicious DNS activity. The department advised network administrators to double-check encryption certificates from domains.

Now, DHS is turning part of that public advice into an internal mandate for civilian agencies. It’s time to walk the walk, lest agencies fall victim to the DNS-hijacking threat.

Sean Lyngaas

Written by Sean Lyngaas

Sean Lyngaas is CyberScoop’s Senior Reporter covering the Department of Homeland Security and Congress. He was previously a freelance journalist in West Africa, where he covered everything from a presidential election in Ghana to military mutinies in Ivory Coast for The New York Times. Lyngaas’ reporting also has appeared in The Washington Post, The Economist and the BBC, among other outlets. His investigation of cybersecurity issues in the nuclear sector, backed by a grant from the Pulitzer Center on Crisis Reporting, won plaudits from industrial security experts. He was previously a reporter with Federal Computer Week and, before that, with Smart Grid Today. Sean earned a B.A. in public policy from Duke University and an M.A. in International Relations from The Fletcher School of Law and Diplomacy at Tufts University.

Latest Podcasts