The Department of Homeland Security has issued an emergency directive requiring civilian executive branch agencies to take steps to defend themselves against cyber attackers who have intercepted the Internet and e-mail traffic of some federal agencies. “In coordination with government and industry partners, the Department of Homeland Security (DHS) Cybersecurity and Infrastructure Security Agency (CISA) is tracking a series of incidents involving domain name system (DNS) infrastructure tampering.  CISA is aware of multiple executive branch agency domains that were impacted by the tampering campaign and has notified the agencies that maintain them,” said the directive, which was issued yesterday by Christopher Krebs, CISA’s director.

The attackers have obtained user names and passwords that enable them to make changes to DNS records, the directive said.  They have changed those records by “replacing the legitimate address of a service with an address the attacker controls.  This enables them to direct user traffic to their own infrastructure for manipulation or inspection before passing it on to the legitimate service, should they choose,” it said.

Citing “significant and imminent risks to agency information and information systems presented by this activity,” the directive requires agencies within 10 days to audit their DNS records to “verify they resolve to the intended location.”  Agencies also should change their DNS account passwords and add multifactor authentication to their DNS accounts. The directive did not indicate which agencies had already been affected by the attacks.  DHS was given authority by the Cybersecurity Enhancement Act of 2015 to require all executive branch agencies, except intelligence agencies and the Defense Department, to address cybersecurity concerns. — Tom Leithauser, tom.leithauser@wolterskluwer.com

Courtesy TRDaily