iscover
Share this article on:
Powered by
MOMENTUM
MEDIA
The newly discovered PRC-backed threat actor uses “sophisticated DNS activities” to probe networks all over the globe.
Researchers from cloud security firm Infoblox have observed a sophisticated Chinese threat actor that has been manipulating China’s Great Firewall since at least 2019.
Dubbed Muddling Meerkat after both the “bewildering” nature of its activity and its underground operations, the threat actor has been observed actively controlling traffic both entering and exiting the Chinese internet.
“Our unrelenting focus on DNS, using cutting-edge data science and AI, has enabled our global team of threat hunters to be the first to discover Muddling Meerkat lurking in the shadows and produce critical threat intelligence for our customers,” said Dr Renée Burton, vice-president of Infoblox’s threat intel team, in a statement.
“This actor’s complex operations demonstrate a strong understanding of DNS, stressing the importance of having a DNS detection and response (DNSDR) strategy in place to stop sophisticated threats like Muddling Meerkat.”
On the surface, Muddling Meerkat’s operations look like slow-moving distributed denial-of-service (DDoS) attacks, but according to Infoblox, that is most likely not the threat actor’s ultimate goal. The group has a high-level understanding of DNS infrastructure and operations and uses this to propagate DNS queries throughout the internet.
Muddling Meerkat has been observed creating false mail exchange records and triggering DNS queries to domains outside the actor’s control under top-level domains such as .org and .com. The group uses “super-aged” domains from prior to 2000 to help its traffic blend in with other DNS activity as well, making it a highly stealthy actor.
The motivation for the activity remains unclear, but Burton and her researchers feel that DDoS attacks or even propositioning for such attacks are unlikely, as the traffic volume is simply too low. Data exfiltration is also unlikely, as is internet mapping, as this is a very slow way to go about such an activity. It’s also not some form of software bug, according to Infoblox.
What the threat actor is doing, however, remains unclear.
“The data we have suggests that the operations are performed in independent ‘stages’; some include MX queries for target domains, and others include a broader set of queries for random subdomains,” Burton said in the report itself.
“Because the domain names are the same across the stages and the queries are consistent across domain names, both over a multiyear period, these stages surely must be related, but we did not draw a conclusion about how they are related or why the actor would use such staged approaches.”
David Hollingworth has been writing about technology for over 20 years, and has worked for a range of print and online titles in his career. He is enjoying getting to grips with cyber security, especially when it lets him talk about Lego.
Be the first to hear the latest developments in the cyber industry.
