Politically targeted DNS in 2016 and 2020

Presented at VB2019, Oct. 4, 2019, 11 a.m. (30 minutes)

Disinformation campaigns are the latest form of cyber-warfare. They involve nation states and foreign actors using massive online delivery mechanisms such as social media sites to distribute subversive or influential political content to millions of citizens. At the same time, smaller campaigns identify political headlines and twist them to lure individuals to click on links and advertisements. While much has been discussed about the negligence of social media sites in their efforts to prevent the spread of misinformation, there has not been a comprehensive study of the weaponization of domain names, in DNS, related to political events. There is no more clarity today than in 2016 as to the breadth of keywords or top-level domains (TLDs) and hosting infrastructure used to orchestrate misinformation campaigns, click-bait, and other dubious activities. Using Cisco Umbrella's global visibility in DNS we'll analyse three months leading up to the 2016 elections in the US, identifying domains based on political keywords, unearthing infrastructure spanning the globe from telecom companies and content delivery networks (CDNs) in the US to Russia. While the Democratic Primaries begin to ramp up for the 2020 election cycle, we'll report on the latest domains and infrastructures seen today. How many US politically motivated domains are hosted in Eastern European countries? What infrastructure has evolved since the 2016 US elections? Come and find out. ### Related links * [Domain names and DNS are being ‘weaponized' to spread political propaganda](https://portswigger.net/daily-swig/domain-names-and-dns-are-being-weaponized-to-spread-political-propaganda) (*The Daily Swig*)

Presenters:

• Dhia Mahjoub - Cisco Umbrella
  Dhia Mahjoub Dr. Dhia Mahjoub is Head of Security Research at Cisco Umbrella. He works with his team on building large-scale threat detection and threat intelligence systems, driving new product features and supporting major business deals in the US, Europe, and APAC. He has 15+ years experience in network security, has authored patents with OpenDNS and holds a Ph.D. in graph data analysis. Dhia has been supporting law enforcement through his investigation of cybercrime and speaking about it at the Europol-INTERPOL Cybercrime Conference, the Dutch NCSC One Conference and the SANS CTI Summit. He has given keynotes at KPMG and Orange security events and is a frequent speaker at conferences worldwide including Black Hat, Defcon, Virus Bulletin, RSA, FS-ISAC and FIRST. He's also on the program committee of Botconf and the ACM DTRAP journal.
• Andrea Kaiser - Cisco Umbrella
  Andrea Kaiser Andrea began her career in infrastructure support and worked as a sysadmin for 12 years. Security has always been her passion. She began working with OpenDNS in 2015 as a security researcher. OpenDNS transitioned to be Cisco Umbrella, and has grown to have 175 billion Internet requests a day, allowing a great view for the security research teams. Andrea now manages the Security Research Analysts team. The analysts work to identify malicious requests coming from attacker or compromised infrastructure related to cybercriminal activities. Andrea has presented at BSides Las Vegas, BSides Amsterdam, DeepSec, and SANS Threat Hunting and Incident Response Summit. Her presentations have been about botnet communications, and how to gather IOCs related to malicious activity through threat hunting.
• John Cunniff - Cisco Umbrella
  John Cunniff John Cunniff is an aspiring security expert that currently attends NYU's Tandon School of Engineering for Computer Science. He is a member of the OSIRIS cybersecurity lab and NYU's CTF (capture the flag) team NYUSEC where he specializes in web challenges. John has worked at Cisco Umbrella since mid-2019 as a software engineer on the Applied Research team. At Cisco, John has specialized in engineering tools and mechanisms that have empowered the team to be industry leaders in DNS security.
• David Rodriguez - Cisco Umbrella
  David Rodriguez David is tech lead on engineering and data science initiatives for Cisco Umbrella research focusing on large-scale cybersecurity threat detection. He has authored multiple patents with Cisco identifying malicious network traffic using deep learning and behavioural analytics. He is known for his open-source work on projects such as Rainier, a probabilistic programming framework, and speaking about machine learning and big data technologies in cybersecurity at conferences like Black Hat, O'Reilly Strata, Flink Forward, Flocon, Virus Bulletin, and HitBSEC.

Links:

• https://www.virusbulletin.com/conference/vb2019/abstracts/politically-targeted-dns-2016-and-2020

Similar Presentations:

• DeepSec 2018 „I like to mov &6974,%bx“ / DNS Exfiltration and Out-of-Band Attacks
• Black Hat USA 2016 / Dark Side of the DNS Force
• DEF CON 22 (2014) / Domain Name Problems and Solutions