Cyber Incident Victim: Middle East Airlines
Date:
Sep 2018
Location:
Lebanon
Summary
A cyberespionage campaign dubbed "DNSpionage" targeted a Lebanese airline alongside government entities in Lebanon and the UAE, employing malicious Microsoft Office documents distributed through fake job-hunting websites. Attackers compromised victims via macro-enabled documents delivering malware capable of HTTP and DNS-based command-and-control communication, including DNS tunneling for data exfiltration. The threat actors demonstrated detailed reconnaissance of victim networks to evade detection and additionally hijacked DNS records for targeted domains, generating fraudulent Let's Encrypt certificates to facilitate their redirection efforts. The malware established persistence by creating dedicated directories and executable files on infected systems, though the operational success of DNS hijacking remained unconfirmed.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
In September 2018, a cyberespionage campaign dubbed "DNSpionage" targeted Middle East Airlines, a private Lebanese airline, alongside government entities in Lebanon and the United Arab Emirates. Attackers deployed malicious Microsoft Office documents embedded with macros, distributed through two fake websites posing as job recruitment portals. When victims opened these documents, the DNSpionage malware infected their systems, creating a dedicated directory structure at %UserProfile%\.oracleServices/ to store components like the executable "svshost_serv.exe," configuration files, and logs. The malware established communication with command-and-control (C2) servers using both HTTP and DNS protocols, employing base64-encoded DNS queries with randomized data for initial system registration and instruction retrieval. DNS tunneling was leveraged as a covert channel for data exfiltration, allowing attackers to stealthily extract information. Forensic analysis indicated the threat actor conducted reconnaissance to understand victim network infrastructure, enabling them to evade detection and maintain persistence. The campaign’s infrastructure and tactics showed no direct links to previously known threat groups at the time of discovery.
A separate but related aspect of the campaign involved DNS hijacking, where attackers redirected DNS queries for legitimate .gov domains and the airline’s domains to malicious servers under their control. During these redirections, the actors generated valid Let’s Encrypt TLS certificates for the compromised domains, potentially enabling man-in-the-middle attacks or credential harvesting by impersonating legitimate services. The success of these DNS redirections remained unconfirmed, though the use of trusted certificates increased the operational sophistication. The malware’s persistence mechanisms and network evasion techniques suggested a focus on long-term intelligence gathering. Cisco Talos publicly disclosed the campaign in November 2018, providing technical indicators of compromise (IOCs) and detection guidance through their security platforms, including AMP, CWS, and Umbrella. The incident highlighted risks to critical transportation and government sectors in the Middle East, emphasizing vulnerabilities in DNS infrastructure and document-based initial infection vectors.