Threat intel researchers from Infoblox, in collaboration with external researchers, have uncovered ‘Muddling Meerkat’, a likely Chinese state actor with the ability to control the Great Firewall (GFW) of China, a system that censors and manipulates traffic entering and exiting China’s Internet.
The DNS threat actor is sophisticated in its ability to bypass traditional security measures, as it conducts operations by creating large volumes of widely distributed DNS queries that are subsequently spread through the Internet through open DNS resolvers. Infoblox leveraged its deep understanding and access to DNS to discover this cyberthreat, pre-incident, blocking its domains to ensure its customers are safe.
Dr. Renée Burton, Vice President, Infoblox Threat Intel, said: “Our unrelenting focus on DNS, using cutting-edge data science and AI, has enabled our global team of threat hunters to be the first to discover Muddling Meerkat lurking in the shadows and produce critical threat intelligence for our customers. This actor’s complex operations demonstrates a strong understanding of DNS, stressing the importance of having a DNS detection and response (DNSDR) strategy in place to stop sophisticated threats like Muddling Meerkat.”
The moniker ‘Muddling Meerkat’ was given to describe the actor as an animal that appears cute, but in reality it can be dangerous, living in a complex network of burrows underground, and out of view. From a technical perspective, ‘Meerkat’ references the abuse of open resolvers, particularly through the use of DNS mail exchange (MX) records. ‘Muddling’ refers to the bewildering nature of their operations.
The threat actor, Muddling Meerkat, has been operating covertly since at least October 2019. At first glance, its operations look like Slow Drip distributed denial-of-service (DDoS) attacks, however, it is unlikely DDoS is their ultimate goal. The motivation of the actor is unknown, though they may be performing reconnaissance or prepositioning for future attacks.