We review products independently, but we may earn affiliate commissions from buying links on this page. Terms of use.

To steal passwords, a group of state-sponsored hackers have gone beyond simply using malware and phishing attacks; they've been tampering with the "phone book for the internet," the Domain Name System, to redirect users into look-alike webpages that can capture victims' login credentials.

For months now, the mysterious hackers have been infiltrating companies that run the Domain Name System, including internet service providers and web-hosting organizations, according to research from Cisco's Talos security group, which has been tracking the attacks. Among the companies hit was Netnod, a Swedish operator behind one of 13 DNS root name servers in the world.

The access the hackers had is scary. The Domain Name System works by translating website lookups into the IP address your browser needs to visit the destination. But what happens if you tamper with the process? Then you can potentially send traffic to a completely different IP address — including to a hacker-controlled website.

The threat of DNS hijacking has been known for years. However, the recent string of attacks on the Domain Name System has Cisco's Talos group particularly worried. For one, the attacks likely came from a skilled and government-backed hacking group. The DNS hijacking attempts also don't appear to be abating.

In total, the hackers have compromised at least 40 different organizations across 13 different countries, Cisco's Talo group said in a Wednesday report.

"DNS is a foundational technology supporting the Internet. Manipulating that system has the potential to undermine the trust users have on the internet," the company's researchers said in the report. "Responsible nations should avoid targeting this system."

The good news is that the attacks, which have been going on since Jan. 2017, haven't been targeting the masses. The ultimate goal has been to hit staffers with government offices, including military and intelligence agencies, located in the Middle East and North Africa.

But the big worry is that other state-sponsored hacking groups will eventually resort to the same tactics and focus on tampering with the Domain Name System to carry out their attacks. Most security products aren't designed to fend off such DNS hijacking attempts, Cisco's Talos group said. As a result, the company's security researchers are urging foreign governments to act and establish standards to protect DNS records.

To pull off the attacks, the mysterious hacking group has likely been using a combination of software vulnerabilities and phishing emails to breach companies running the Domain Name System. They'll then focus on trying to find login credentials that'll enable them to modify the DNS records, and then temporarily redirect traffic to a hacker-controlled website.

"The amount of time that the targeted DNS record was hijacked can range from a couple of minutes to a couple of days," Talos researchers said. "This type of activity could give an attacker the ability to redirect any victim who queried for that particular domain around the world."

The hacker-controlled websites were designed to spoof the legitimate domains of the various government agencies targeted. The sites even used software certificates to display the SSL padlock in the browser address bar. According to Cisco's Talos group, the hackers also used techniques to impersonate VPN applications to harvest the login credentials for them.

Cisco's Talos researchers refrained from naming which country may have been sponsoring the hackers. But other cybersecurity firms suspect the group may be linked with Iran.

To help stop the threat, Cisco's Talo researchers recommend organizations consider using a domain "registry lock service," which will send a notificaiton when a change is made to their DNS records. "If your registrar does not offer a registry lock service, we recommend implementing multi-factor authentication...to access your organization's DNS records," they added.

In January, the US government also issued a warning about the DNS hijacking attacks with mitigation tips.