Muddling Meerkat is a newly identified cluster of cyber activity that researchers from Infoblox believe is linked to a Chinese state-sponsored threat actor. Since October 2019, this actor has been manipulating DNS systems globally, with a notable uptick in activity observed in September 2023. This operation is characterized by its unique approach to DNS manipulation, specifically targeting MX (Mail Exchange) records. By injecting false responses through China’s Great Firewall, Muddling Meerkat is able to distort and potentially misdirect email communications, an ability previously unseen in the operations managed through the Great Firewall.
The primary method of DNS manipulation employed by Muddling Meerkat involves causing the Great Firewall to issue fake responses to DNS queries. This manipulation does not just block or filter content, which is the typical function of the Great Firewall, but actively poisons DNS caches with incorrect information. This poisoning can mislead networks about the IP addresses of email servers, thereby disturbing email routing. The Great Firewall operates by inserting these responses into a race condition with legitimate DNS replies, taking advantage of being able to respond first and thus influence the DNS cache of the requester.
In their detailed analysis, Infoblox notes that Muddling Meerkat also employs techniques that resemble the “Slow Drip DDoS” attack, though on a smaller scale that suggests the goal is testing rather than disruption. The attackers make DNS requests for non-existent subdomains of targeted domains, which serves to test the resilience and security of network DNS configurations. These requests are designed to create noise and potentially mask more sinister activities or set the stage for larger attacks.
Infoblox also highlighted the sophisticated nature of the Muddling Meerkat operation, noting that the attackers specifically choose target domains that are older and shorter, which are less likely to be on DNS blocklists. This choice indicates a high level of strategic planning and understanding of DNS management and security practices. The ongoing DNS manipulation and testing by Muddling Meerkat suggest a broader objective to map out network defenses and possibly prepare for future, more disruptive cyber operations. The report from Infoblox includes a list of indicators of compromise and tactics, aiming to aid network administrators in identifying and mitigating these DNS manipulation tactics.
