The Department of Homeland Security today issued an emergency directive ordering federal agencies to audit all Domain Name System records within 10 days.

The directive comes in response to a known security threat, in this case attempts by hackers to hijack DNS records at U.S. government agencies. The DHS Cybersecurity and Infrastructure Security Agency said that it was aware of multiple executive branch agency domains that were hit by a “tampering campaign” and has notified the agencies that maintain them.

The potential attacks start with an hacker compromising user credentials, presumably through phishing, or obtaining the credentials through alternative means so as to make changes to DNS records. Once access is obtained, those behind the attacks alter DNS records to point the domain to a service with an address the attacker controls, allowing them to intercept traffic.

The diversion to other sites may only be short-lived and unnoticed by the user, since the other site allows for manipulation and inspection before passing the traffic on to the legitimate site. In addition, the directive warns the attackers can also obtain valid encryption certificates for an organization’s domain names, allowing them to decrypt traffic and steal user data.

The order requires all executive branch departments except the Department of Defense, the Central Intelligence Agency and the Office of the Director of National Intelligence, to complete a full audit of all public and secondary DNS records within 10 days.

In addition, agencies are required to update passwords for all accounts linked to DNS records, add multifactor authentication and implement certificate transparency log monitoring.

Speculating on the source of the attacks, Tom Kellermann, chief cybersecurity officer at Carbon Black Inc., told SiliconANGLE that such an alert from DHS is historic, essentially warning Americans that Iran has escalated cyberwarfare during the U.S. government shutdown. He added that North Korea may be following suit.

“It’s clear the axis of evil in cyberspace is alive, well and acting opportunistically,” Kellerman said.

Photo: U.S. Coast Guard