Cyber Incident Victim: Telecommunication Regulatory Authority
Date:
Sep 2018
Location:
United Arab Emirates
Summary
A cyberespionage campaign dubbed "DNSpionage" targeted UAE government entities and Lebanese organizations, compromising systems through malicious Microsoft Office documents distributed via fake job recruitment websites. The attackers deployed malware establishing persistent communication with command-and-control servers using HTTP and DNS protocols, including base64-encoded DNS queries for system registration and data exfiltration via DNS tunneling. The campaign involved DNS redirection attempts against legitimate government and private sector domains, with adversaries generating fraudulent Let's Encrypt certificates for redirected infrastructure to evade detection. The malware created specific directories and executable files on infected systems to manage operations, though the success of DNS hijacking remained unconfirmed.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 3 motives | 2 techniques |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
In September 2018, a cyberespionage campaign dubbed "DNSpionage" targeted government and private sector entities in Lebanon and the United Arab Emirates, including the UAE Telecommunication Regulatory Authority. Attackers deployed carefully crafted malicious Microsoft Office documents embedded with macros, distributed through two fake websites posing as legitimate job portals. These documents, when opened, executed malware designed to evade detection by leveraging the victims' network infrastructure knowledge. The malware, identified as DNSpionage, established persistence by creating a dedicated directory structure at %UserProfile%\.oracleServices/, containing executable components (svshost_serv.exe), configuration files (Configure.txt), and operational logs (log.txt). It employed both HTTP and DNS protocols for command-and-control communications, using base64-encoded DNS queries with randomized data to register infected systems and receive instructions. DNS tunneling facilitated covert data exfiltration, allowing attackers to siphon information stealthily.
The campaign expanded beyond initial compromises to include DNS hijacking attacks against .gov domains and private companies, redirecting DNS queries to attacker-controlled infrastructure. During these redirections, the threat actors generated valid Let's Encrypt TLS certificates for the spoofed domains, enhancing the legitimacy of their malicious infrastructure. While the success of DNS redirections remained unconfirmed, the use of trusted certificates indicated a sophisticated effort to avoid suspicion. The attackers maintained operational security by reusing the same IP address across multiple redirection attempts, linking the DNS hijackings to the broader malware campaign. The incident exposed vulnerabilities in targeted organizations' network defenses, particularly their susceptibility to social engineering via fake job lures and macro-enabled document exploits. No specific data exfiltrated or operational disruptions were detailed in available reporting.