Introducing Muddleling Meerkat, a new threat actor controlling the Great Firewall of China

Chinese hackers seen targeting Southeast Asian government organization

Introducing Muddleling Meerkat, a new threat actor controlling the Great Firewall of China

The recently discovered PRC-backed threat actor uses “sophisticated DNS activities” to probe networks around the world.

Researchers at cloud security company Infoblox have observed a sophisticated Chinese threat actor that has been manipulating the Great Firewall of China since at least 2019.

Dubbed Muddleling Meerkat for the “baffling” nature of its activity and clandestine operations, the threat actor has been observed actively monitoring traffic entering and exiting the Internet in China.

“Our relentless focus on DNS, using cutting-edge data science and artificial intelligence, has enabled our global team of threat hunters to be the first to discover Muddleling Meerkat lurking in the shadows and produce critical threat intelligence for our customers,” he said Dr. Renée Burton. , vice president of Infoblox’s threat intelligence team, in a statement.

“This actor’s complex operations demonstrate a strong understanding of DNS, highlighting the importance of having a DNS Detection and Response (DNSDR) strategy in place to stop sophisticated threats like Muddleling Meerkat.”

At first glance, Muddleling Meerkat’s operations look like slow distributed denial of service (DDoS) attacks, but according to Infoblox, that is most likely not the threat actor’s ultimate goal. The group has a high level of knowledge of DNS infrastructure and operations and uses this to propagate DNS queries across the Internet.

Muddleing Meerkat has been observed to create fake mail exchange records and trigger DNS queries to domains outside the actor’s control under top-level domains such as .org and .com. The group uses “super old” pre-2000 domains to help its traffic blend in with other DNS activities as well, making it a very stealthy actor.

The motivation for the activity is still unclear, but Burton and his researchers believe that DDoS attacks or even proposals for such attacks are unlikely, as the traffic volume is simply too low. Data exfiltration is also unlikely, as is internet mapping, as it is a very slow way to conduct such activity. It’s also not some kind of software bug, according to Infoblox.

However, it is still unclear what the threat actor is doing.

“The data we have suggests that operations are carried out in independent ‘stages’; some include MX queries for target domains and others include a broader set of queries for random subdomains,” Burton said in the report.

“Because the domain names are the same at all stages and the queries are consistent across all domain names, both over a period of several years, these stages must surely be related, but we do not reach a conclusion on how relate or why the actor would do it. use such phased approaches.”

Leave a Reply

Your email address will not be published. Required fields are marked *