DNS Hijacking Campaigns
Table of Contents
What Is DNS Hijacking?
DNS (Domain Name System) translates human-readable domain names (like google.com) into IP addresses (like 142.250.80.46) that computers use to communicate. DNS hijacking redirects these translations so that domain names resolve to attacker-controlled IP addresses instead of the legitimate ones.
The impact is profound. When DNS is hijacked, every device that relies on the compromised DNS server for resolution will be directed to the wrong destination. Users type the correct URL in their browser, see the correct domain name in the address bar, but are actually communicating with the attacker's server. Email, web traffic, API calls, and software updates - everything that depends on DNS resolution - can be redirected.
graph TD
subgraph "Normal DNS Resolution"
A[User Types google.com] --> B[DNS Query to Resolver]
B --> C[Recursive Resolution]
C --> D[Returns 142.250.80.46]
D --> E[Browser Connects to Google]
end
subgraph "Hijacked DNS Resolution"
F[User Types google.com] --> G[DNS Query to Compromised Resolver]
G --> H[Returns Attacker IP 203.0.113.50]
H --> I[Browser Connects to Attacker Server]
I --> J[Fake Google Page - Credentials Captured]
end
Normal vs hijacked DNS resolution - the user sees the correct domain name but reaches the wrong server
DNS hijacking can occur at multiple levels: at the device (changing the DNS settings on a computer or phone), at the router (changing the DNS settings that the router distributes via DHCP), at the ISP (compromising the ISP's DNS servers), or at the registrar level (changing the authoritative DNS records for an entire domain).
Sea Turtle: Hijacking DNS Registrars
Sea Turtle was a DNS hijacking campaign active from approximately 2017 to 2019, attributed by Cisco Talos to a state-sponsored threat actor believed to be associated with Turkey. The campaign was remarkable for its ambition: rather than compromising individual routers or devices, Sea Turtle compromised DNS registrars and country-code top-level domain (ccTLD) administrators.
A DNS registrar manages the registration of domain names and maintains the authoritative DNS records that tell the internet which name servers are responsible for each domain. A ccTLD administrator manages an entire country's domain namespace (like .sa for Saudi Arabia or .am for Armenia). Compromising either entity gives the attacker the ability to redirect any domain they manage.
graph TD
subgraph "Sea Turtle Attack Chain"
A[Compromise DNS Registrar] --> B[Modify NS Records for Target Domain]
B --> C[Point Domain to Attacker Name Servers]
C --> D[Attacker Name Servers Respond to Queries]
D --> E[Direct Users to Attacker Infrastructure]
E --> F[MITM - Proxy to Real Server]
F --> G[Capture Credentials in Transit]
F --> H[Intercept Email]
F --> I[Monitor Communications]
end
subgraph "Alternative: Compromise ccTLD"
J[Compromise ccTLD Administrator] --> K[Modify Delegation for Entire Domain]
K --> C
end
Sea Turtle attack chain - compromising registrars and ccTLD administrators to redirect entire domains
Sea Turtle Targets and Methods
Sea Turtle targeted government organizations, military entities, intelligence agencies, and energy companies primarily in the Middle East and North Africa. The targets included ministries of foreign affairs, intelligence agencies, military organizations, and energy companies in countries including Iraq, Libya, Syria, Turkey, Jordan, and others.
The campaign first compromised DNS registrars and hosting companies that managed DNS for the target organizations. Once the registrar was compromised, the attackers modified the DNS records for target domains to point to attacker-controlled name servers. These name servers then resolved queries for the target domain to attacker-controlled IP addresses.
The attackers operated man-in-the-middle proxy servers at these IP addresses. The proxy servers forwarded traffic to the legitimate destination, making the hijacking transparent to end users. But the proxy captured credentials, email content, and other sensitive data as it passed through.
To make the MITM convincing, the attackers obtained legitimate TLS certificates for the hijacked domains. Because they controlled the DNS for those domains, they could complete domain validation challenges used by certificate authorities like Let's Encrypt. Users connecting to the hijacked domain saw a valid HTTPS certificate - the padlock icon appeared as expected - even though they were communicating through the attacker's proxy.
Cisco Talos identified at least 40 target organizations across 13 countries affected by Sea Turtle. The campaign demonstrated that DNS infrastructure itself - the registrars, ccTLDs, and authoritative name servers that form the foundation of internet naming - could be targeted as an attack vector.
DNSChanger: $14 Million in Ad Fraud
DNSChanger was a malware family that operated from approximately 2006 to 2011, infecting an estimated 4 million computers worldwide. Unlike Sea Turtle's espionage objectives, DNSChanger was purely financially motivated: it hijacked DNS to redirect users to fraudulent advertisements, generating approximately $14 million in revenue for its operators.
graph TD
subgraph "DNSChanger Operation"
A[Malware Installed on PC] --> B[Change DNS Settings to Rogue Servers]
B --> C[All DNS Queries Go Through Attacker]
C --> D[Selective DNS Hijacking]
D --> E[Replace Legitimate Ads With Fraudulent Ads]
D --> F[Redirect Search Results to Affiliate Links]
D --> G[Block Security Updates and AV Sites]
end
subgraph "Scale"
H[4 Million Infected Computers]
I[$14 Million in Ad Revenue]
J[6 Estonian Operators Arrested]
K[Operation Ghost Click - FBI]
end
DNSChanger operation - malware redirected DNS to generate fraudulent ad revenue at scale
The malware changed the infected computer's DNS settings to point to rogue DNS servers operated by the attackers in Estonia and New York. These rogue servers responded normally for most queries but selectively hijacked certain domains to redirect users to pages with fraudulent advertisements or to replace legitimate advertisements on web pages with the attackers' own ads.
The FBI's "Operation Ghost Click" dismantled the DNSChanger infrastructure in November 2011, arresting six Estonian nationals. However, the takedown created a problem: 4 million computers were still configured to use the now-seized DNS servers. If the FBI simply shut down the servers, those 4 million computers would lose DNS resolution entirely - effectively losing internet access.
The FBI arranged for the Internet Systems Consortium (ISC) to operate clean replacement DNS servers at the seized IP addresses, giving infected users continued DNS resolution while they cleaned their systems. These temporary servers operated until July 2012, when they were finally shut down after extensive public awareness campaigns.
The Switcher Trojan
The Switcher Trojan, discovered by Kaspersky Lab in 2016, took a different approach to DNS hijacking. Rather than changing DNS settings on the infected device, it attacked the WiFi router from the inside.
Switcher was an Android trojan distributed through fake versions of the Baidu search app and a WiFi password-sharing app. Once installed on an Android phone, it attempted to log into the WiFi router's administration interface using a list of default and common credentials. If it successfully accessed the router, it changed the router's DNS settings to point to attacker-controlled servers.
This approach was clever because compromising the router's DNS settings affected every device on the network, not just the infected phone. Every computer, tablet, smart TV, and IoT device that obtained its DNS configuration from the router (which is the default behavior for all DHCP clients) would now resolve DNS through the attacker's servers.
Switcher primarily targeted users in China and was configured to redirect DNS to servers that served modified search results and advertisements. The router-based approach amplified the impact: a single infected phone could redirect DNS for an entire household or small office.
Router DNS Hijacking Malware
Beyond Switcher, multiple malware families have targeted router DNS settings. The approach is effective because most users never check their router's DNS configuration after initial setup. A compromised router may redirect DNS for months or years without detection.
The GhostDNS campaign, discovered in 2018, infected over 100,000 routers primarily in Brazil. It used a combination of cross-site request forgery (CSRF) attacks and default credential exploitation to change router DNS settings. The campaign targeted online banking customers, redirecting bank domain names to phishing pages that captured banking credentials.
The Roaming Mantis campaign (also known as MoqHao), active since 2017 and attributed to a Chinese-speaking threat actor, combines router DNS hijacking with mobile malware distribution. After compromising routers and changing their DNS settings, the redirected DNS serves malicious APK files to Android users and phishing pages to iOS users.
Defenses Against DNS Hijacking
Defending against DNS hijacking requires measures at multiple levels.
DNSSEC (Domain Name System Security Extensions) adds cryptographic signatures to DNS records, allowing resolvers to verify that DNS responses have not been tampered with. DNSSEC prevents attackers from spoofing DNS responses but does not protect against registrar-level hijacking (where the attacker can modify the signed records themselves). Adoption remains incomplete - many domains and resolvers still do not support DNSSEC.
DNS-over-HTTPS (DoH) and DNS-over-TLS (DoT) encrypt DNS queries between the device and the resolver, preventing router-level DNS hijacking from intercepting or modifying queries. When enabled, the device sends DNS queries directly to a trusted resolver (like Cloudflare's 1.1.1.1 or Google's 8.8.8.8) over an encrypted connection, bypassing whatever DNS settings the router provides.
Monitor your router's DNS settings regularly. Log into your router's admin panel and verify that the DNS servers are set to expected values. If you have not explicitly configured DNS, the settings should point to your ISP's DNS servers. Any other value warrants investigation.
Use strong, unique passwords for router administration and disable remote management. The Switcher Trojan and GhostDNS campaign both exploited default credentials. A strong admin password blocks the most common router compromise vector.
Registry lock services (offered by some domain registrars) add an extra layer of authentication before DNS records can be modified, protecting against unauthorized registrar-level changes like those used in Sea Turtle.
Monitoring Your DNS Environment
The BLEShark Nano supports WiFi network scanning that reveals the access points and network infrastructure in your environment. During authorized security assessments, understanding the wireless network topology - which routers are serving which networks, and how devices are connected - is the foundation for evaluating DNS security.
Router DNS hijacking affects every device on the compromised network. Identifying the routers and access points in your environment, and verifying their configurations, is a critical step in any network security assessment. The Nano's ability to enumerate WiFi access points helps security professionals map the infrastructure they need to audit.
DNS hijacking campaigns like Sea Turtle, DNSChanger, Switcher, and GhostDNS demonstrate that DNS - the system that translates every domain name into an address - is both essential and vulnerable. Protecting DNS requires attention at every level: the device, the router, the ISP, the registrar, and the protocol itself.
Get the BLEShark Nano - $36.99+