DNS is a distributed database, a naming system that maps information to domain names (let's not do the "phone book for the internet" anymore please).
For instance, nzherald.co.nz is mapped to one or more internet protocol addresses which in turn are assigned to one or more servers. Your browser asks DNS servers where to find the NZ Herald website and is given an IP address (and sometimes other data) where it is located.
Gaining control over DNS servers for a domain means attackers can do an amazing amount of evil. Attackers can redirect website visitors to a server that they control, and dish up whatever they like to them from bogus content to malware, to login-stealing pages.
The traffic redirection meant that emails, for instance, could be inspected and manipulated before being sent on to the correct location, and it would be hard for normal users to spot this.
Alarmingly, CISA and security vendors noted that the DNS attackers could obtain valid encryption certificates for organisations' domain names. With these installed, the attackers could decrypt data silently, rendering an important line of defence against traffic interception and tampering useless.
CISA said "multiple executive branch agency domains" were affected, meaning the attackers struck solid gold and may have been able to siphon off sensitive data for a couple of years.
How did the attackers manage to get themselves into such a position of power?
Security vendors believe that they obtained login credentials for accounts that enabled attackers to change DNS settings through phishing and compromising a registrar.
Add to that, a lack of multi-factor authentication (MFA), lack of monitoring of changes to DNS records and the mind boggles as to how such critical internet infrastructure was left so poorly protected.
The CISA Emergency Directive is now ordering some ambulance at the bottom of the cliff measures to fix up the mess for Government agencies. These include keeping an eye on DNS records, adding MFA and getting rid of bogus certificates for domains.
Local organisations with an internet presence should take heed of this, and harden up their systems too because the attacks are simple, effective and very likely to continue.