Infoblox Threat Intel Discovers Muddling Meerkat, A DNS Operation Controlling China’s Great Firewall
Infoblox Inc., a leader in cloud networking and security services, today announced that its threat intel researchers, in collaboration with external researchers, have uncovered ‘Muddling Meerkat’, a likely People's Republic of China (PRC) state actor with the ability to control the Great Firewall (GFW) of China, a system that censors and manipulates traffic entering and exiting China’s internet. This domain name system (DNS) threat actor is particularly sophisticated in its ability to bypass traditional security measures, as it conducts operations by creating large volumes of widely distributed DNS queries that are subsequently propagated through the internet through open DNS resolvers. Infoblox leveraged its deep understanding and unique access to DNS to discover this cyberthreat, pre-incident, blocking its domains to ensure its customers are safe.
“Infoblox Threat Intel eats, sleeps, and breathes DNS data,” said Dr. Renée Burton, Vice President, Infoblox Threat Intel. “Our unrelenting focus on DNS, using cutting-edge data science and AI, has enabled our global team of threat hunters to be the first to discover Muddling Meerkat lurking in the shadows and produce critical threat intelligence for our customers. This actor’s complex operations demonstrate a strong understanding of DNS, stressing the importance of having a DNS detection and response (DNSDR) strategy in place to stop sophisticated threats like Muddling Meerkat.”
The moniker ‘Muddling Meerkat’ was given to describe the actor as an animal that appears cute, but in reality, it can be dangerous, living in a complex network of burrows underground, and out of view. From a technical perspective, ‘Meerkat’ references the abuse of open resolvers, particularly through the use of DNS mail exchange (MX) records. ‘Muddling’ refers to the bewildering nature of their operations.
With a deep understanding of and visibility into DNS Infoblox Threat Intel can see attacker infrastructure as it’s created, stopping both known and emerging threats earlier. With 46 million unique threat indicators detected in 2023 and a practically non-existent false positive rate of 0.0002 per cent, Infoblox Threat Intel detected 82 per cent of threats before or at the first query thus far in 2024 leveraging our patent pending threat intelligence system along with Infoblox’s new Zero Day DNS capability.
The threat actor, Muddling Meerkat, has been operating covertly since at least October 2019. At first glance, its operations look like Slow Drip distributed denial-of-service (DDoS) attacks, however, it is unlikely DDoS is their ultimate goal. The motivation of the actor is unknown, though they may be performing reconnaissance or prepositioning for future attacks.
Muddling Meerkat demonstrates a sophisticated understanding of DNS that is uncommon among threat actors today – clearly pointing out that DNS is a powerful weapon leveraged by adversaries.
The research further shows that their operations:
- Induce responses from the Great Firewall, including false MX records from the Chinese IP address space. This highlights a novel use of national infrastructure as a fundamental part of their strategy.
- Trigger DNS queries for mail exchange (MX) and other record types to domains not owned by the actor but which reside under well-known top-level domains such as .com and .org. This tactic highlights the use of distraction and obfuscation techniques to hide the real intended purpose.
- Utilise super-aged domains, typically registered prior to the year 2000, enabling the actor to blend in with other DNS traffic and avoid detection. This further highlights the threat actor’s understanding of both DNS and existing security controls.