Statement on man-in-the-middle attack against Netnod

A sophisticated, strong wave of DNS hijackings has been identified affecting the domain names of government, telecommunications and Internet infrastructure providers in the Middle East, North Africa, Europe and North America.

As a participant in an international security co-operation, Netnod became aware on 2 January 2019 that we had been caught up in this wave and that we had experienced a MITM (man-in-the-middle) attack. Netnod was not the ultimate goal of the attack. The goal is considered to have been the capture of login details for Internet services in countries outside of Sweden.

The unexpected combination of methods used in the global wave of attacks have been described in detail by FireEye in “Global DNS Hijacking Campaign: DNS Record Manipulation at Scale”.

When did it happen and who were affected?

The incident as it affected Netnod occurred in several short windows during the period 14 December 2018 - 2 January 2019. Within this period, Netnod suffered from three different attacks. Two of these involved changes in DNS which affected a small number of customers. The affected customers have all been notified.

The third attack, between 29 December and 2 January, involved some traffic to our DNSNODE web portal and API being redirected to a proxy outside our control. Netnod has conducted detailed forensic work and has concluded that no customers who used the services during this time were affected. This was partly due to the fact that Netnod zones are signed and validated using DNSSEC.

What has Netnod done?

In cooperation with organisations inside and outside of Sweden, Netnod has taken measures to prevent future attacks of this kind. As part of this work, we have conducted detailed log analysis and forensic work to understand exactly what happened, who might have been affected and what immediate security measures to implement. We have been in direct contact with all relevant parties and customers throughout this process.

In addition to maintaining close contact with PTS and CERT-SE (MSB), Netnod has been coordinating responses to this incident with the relevant authorities and organisations in the United States and other countries.

Lessons learned and security improvements after the incident

Following this incident, the US Department of Homeland Security issued an Emergency Directive on 22 January with security recommendations. From Netnod’s perspective, we would like to point to the following measures:

  • Use DNSSEC (both signing zones and validating responses)

  • Use registration features like Registry Lock and the like that can protect domain names from being changed (more information in Swedish is available here)

  • Use classic access control lists for applications, Internet traffic and their monitoring

  • Use 2-factor authentication, and require it to be used by all relevant users and subcontractors

  • In cases where passwords are used, use unique passwords and password managers

  • Review accounts with registrars and other providers

  • Monitor certificates by monitoring, for example, Certificate Transparency Logs (more information is available here)


What is evident from this global incident is that antagonists are using increasingly inventive attack vectors and that the Internet community must continue to work together to mitigate and protect against future attack. No chain is stronger than its weakest link, and antagonists are becoming increasingly skilled at exploiting the gaps in security best practice. At Netnod, we are committed to working together with the global Internet community to ensure that we are all better equipped to deal with future attacks.


For questions, please contact Netnod’s Technical and Security Director, Patrik Fältström, via email: paf[at]netnod[dot]se 

More information (in Swedish)

CERT-SE has published a statement on this incident and a list of recommendations.