The hibernating cluster wakes up to map the entire Internet – but what could it be up to?
Chinese state-sponsored actors are apparently mapping the entire Internet, but it’s difficult to determine why. Some media speculate that it may be in preparation for a large-scale cyber attack.
Cybersecurity researchers at Infoblox recently reported that an activity cluster known as Muddling Meerkat has suddenly woken up. This activity was first noticed in 2019, after which it lay dormant until September last year.
It appears primarily designed to manipulate global DNS systems: a decentralized network infrastructure that translates human-readable domain names into numeric IP addresses, allowing users to easily access websites and services on the Internet.
Slow Drip DDoS or something else?
The activity cluster also manipulates mail exchange (MX) records by inserting fraudulent responses through the Great Firewall (GFW).
Normally, the Great Firewall intercepts DNS queries that lead to banned websites and returns an invalid response, essentially blocking access. By triggering fake MX record responses from the firewall, the hackers can redirect emails, it was said.
“The GFW can be described as a ‘side operator’, meaning that it does not modify the DNS responses directly, but injects its own responses, creating a race condition with each response from the originally intended destination,” explained the researchers. If the GFW response is received by the requester first, it could poison the DNS cache.”
“In addition to the GFW, China operates a system called the Big Gun (GC). The GC is an ‘operator in the middle’, allowing it to alter packets en route to their destination.”
While the findings may point to a distributed denial of service (DDoS) attack known as “Slow Drip,” Infoblox believes Muddling Meerkat is merely testing the resilience of networks. The campaign mainly targets short-name domains registered before the year 2000, likely to prevent domains from being targeted on DNS blocklists.
The motive behind the campaign is currently unknown, but the article states: BleepingComputer argued that the goal could be to “map networks and evaluate their DNS security to plan future attacks,” or simply create “DNS noise” that can hide larger attacks at the same time.