HQ/EMEAFind out how we can help your business
A recent surge in cyber activity, dubbed “Muddling Meerkat,” is suspected to be associated with a state-backed Chinese hacking group that has been manipulating Domain Name System (DNS) to probe networks globally since October 2019, with heightened activity observed in September 2023.
An unusual tactic observed in Muddling Meerkat’s operations involves the manipulation of Mail Exchange (MX) records by injecting false responses through China’s Great Firewall (GFW), deviating from the firewall’s typical function of internet censorship.
This discovery indicates a lack of clear intent behind the activity but shows the group’s advanced capabilities in tampering with global DNS systems.
Muddling Meerkat uses evasion tactics to execute its campaigns.
Muddling Meerkat group’s manoeuvres involve scrutinising vast amounts of DNS data, a process that could easily evade detection or be mistaken for harmless behaviour.
DNS, vital for the internet’s functionality, translates domain names into IP addresses, facilitating network connections. Muddling Meerkat exploits this system by altering DNS queries and responses, mainly targeting the mechanism for resolving IP addresses.
For example, the group manipulates MX record responses via the GFW to potentially reroute emails, a departure from the firewall’s usual role of filtering and blocking content. Instead of merely blocking access to specific sites, Muddling Meerkat issues counterfeit responses, serving objectives like testing the resilience of other networks.
To further hide their actions, Muddling Meerkat initiates DNS requests for nonexistent subdomains of their target domains. While similar to a tactic known as “Slow Drip DDoS,” the researchers emphasise that Muddling Meerkat’s queries are modest in scale and intended for testing rather than disruption.
The group also exploits open resolvers to conceal their activities and interacts with authoritative and recursive resolvers. According to investigations, Muddling Meerkat selects target domains with concise names registered before 2000, reducing the likelihood of being listed on DNS blocklists.
As for their motives, Muddling Meerkat might be mapping networks and assessing DNS security for future attacks. Alternatively, they could aim to generate DNS “noise” to conceal more nefarious activities and confuse administrators attempting to trace abnormal DNS requests.
As of now, researchers have yet to uncover the group’s motive behind these operations. Therefore, users and organisations should be aware of these incidents to prepare for any unwanted activities.
