China-Linked ‘Muddling Meerkat’ Uses DNS Hijacking for Global Internet Mapping

A newly discovered cyber threat known as Muddling Meerkat has emerged, exhibiting complex domain name system (DNS) activities since October 2019. The threat, likely affiliated with China, manipulates DNS to evade security measures and conduct network reconnaissance globally.

The reports identified the threat actor’s ability to control the Great Firewall (GFW), which regulates internet traffic in China. The name “Muddling Meerkat” refers to the actor’s confusing operations and its use of DNS open resolvers to send queries from Chinese IP addresses.

The actor demonstrates a deep understanding of DNS, a rare trait among threat actors. By triggering DNS queries for various record types to domains not owned by them but under common top-level domains like .com and .org, Muddling Meerkat evades detection.

Researcher detected the threat actor through anomalous DNS MX record requests from customer devices, identifying over 20 targeted domains. The Great Firewall’s DNS spoofing and tampering techniques inject fake DNS responses to block or redirect queries containing banned keywords or domains.

The most intriguing aspect of Muddling Meerkat is its false MX record responses from Chinese IP addresses, a departure from the GFW’s typical behavior. This behavior suggests a high level of coordination with the GFW operators.

The exact purpose of Muddling Meerkat’s activities remains unclear. Speculations range from internet mapping efforts to covert research. However, its sophisticated DNS operations pose a significant challenge for detection and understanding.

There is ongoing threat posed by Muddling Meerkat and similar operations. Agencies like CISA and the FBI continue to raise alarms about undetected Chinese prepositioning operations. Understanding and countering such threats remain critical in safeguarding global networks.

To prevent falling victim to DNS manipulation like Muddling Meerkat, it’s crucial to maintain updated antivirus software, employ DNS security solutions, and regularly monitor DNS traffic for anomalies. Additionally, ensuring that your network’s DNS servers are properly configured and only accept queries from trusted sources can help mitigate the risk of such attacks.