Hibernating cluster wakes up to map the entire Internet - but what could it be planning?
Chinese state-sponsored actors are at 'it' again - if only we knew what 'it' is
Chinese state-sponsored actors are apparently mapping out the entire internet, but it’s hard to determine why. Some media speculate that it might be in preparation for a large-scale cyberattack.
Cybersecurity researchers from Infoblox recently reported that an activity cluster known as Muddling Meerkat has suddenly woken up. This activity was first spotted in 2019, after which it was dormant until September last year.
It seems predominantly designed to manipulate global DNS systems - decentralized network infrastructure that translates human-readable domain names into numeric IP addresses, enabling users to easily access websites and services on the internet.
Slow Drip DDoS or something else?
The activity cluster also manipulates mail exchange (MX) records, by inserting fraudulent responses through the Great Firewall (GFW).
Usually, the Great Firewall will intercept DNS queries leading towards forbidden websites and will return an invalid response, thus essentially blocking access. By triggering false MX record responses from the firewall, the hackers can redirect emails, it was said.
"The GFW can be described as an “operator on the side," meaning that it does not alter DNS responses directly but injects its own answers, entering into a race condition with any response from the original intended destination," the researchers explained. When the GFW response is received by the requester first, it can poison their DNS cache."
"In addition to the GFW, China operates a system referred to as the Great Cannon (GC). The GC is an“operator in the middle,” allowing it to modify packets en route to their destination."
Are you a pro? Subscribe to our newsletter
Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!
While the findings may point towards a distributed denial of service (DDoS) attack known as “Slow Drip”, Infoblox is more of the opinion that Muddling Meerkat is just testing the resilience of networks. The campaign mostly targets short-named domains, registered before the year 2000, probably to avoid targeting the ones on DNS blocklists.
The motive behind the campaign is currently unknown, but in its writeup, BleepingComputer argued the goal could be to “map networks and evaluate their DNS security to plan future attacks”, or to just create “DNS noise” which can hide bigger attacks happening simultaneously.
More from TechRadar Pro
- China wants to export its Great Firewall to other countries
- Here's a list of the best firewalls around today
- These are the best endpoint security tools right now
Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.