In November 2018, Cisco Talos disclosed “DNSpionage,” a sophisticated cyber-espionage campaign that hijacked the DNS records of Lebanon’s Ministry of Finance (webmail.finance.gov.lb) and Middle East Airlines (memail.mea.com.lb).
The attackers redirected email traffic through attacker-controlled servers, obtained fraudulent Let’s Encrypt TLS certificates to avoid browser security warnings, and silently intercepted the login credentials and email content of government employees and airline staff.
The campaign, later linked to Iranian APT group OilRig/APT34, demonstrated how DNS manipulation could compromise an entire country’s government email communications without touching the target’s infrastructure directly.
## Key Facts
- .**What:** Iranian APT hijacked DNS for Lebanon's Finance Ministry and Middle East Airlines.
- .**Who:** Government employees and MEA airline staff had email intercepted.
- .**Data Exposed:** Email credentials, VPN logins, and email content via man-in-the-middle.
- .**Outcome:** Government never acknowledged the breach; zero regulatory consequence.
## What Was Exposed
- .Email login credentials for Lebanese Ministry of Finance employees accessing webmail.finance.gov.lb
- .Email content in transit, intercepted as users connected through the hijacked DNS to attacker-controlled proxies
- .VPN credentials for government networks, captured through man-in-the-middle positioning on authentication portals
- .Middle East Airlines corporate email credentials via the compromised memail.mea.com.lb domain
- .Email metadata including sender/recipient addresses, timestamps, subject lines, and attachment names
- .Potentially any data transmitted through the hijacked domains during the period of DNS compromise
The attack methodology was elegant in its simplicity and devastating in its impact.
Rather than attempting to breach the Finance Ministry’s or MEA’s internal servers-which may have been reasonably hardened-the attackers manipulated DNS records at the registrar or hosting provider level to redirect traffic.
When a Finance Ministry employee attempted to access their webmail, their browser resolved the domain to an attacker-controlled IP address instead of the legitimate server.
The attacker’s server then proxied the connection to the real webmail server, creating a transparent man-in-the-middle position that captured credentials and email content while delivering a seamless experience to the user.
The use of fraudulent Let’s Encrypt TLS certificates was a critical operational detail. Without valid TLS certificates, users would have received browser security warnings when connecting to the hijacked domains, potentially alerting them to the compromise.
By obtaining legitimate Let’s Encrypt certificates for the hijacked domains-possible because they had temporary DNS control-the attackers ensured that users saw the familiar padlock icon and received no security warnings.
This technique exploited a fundamental trust assumption in the TLS certificate ecosystem: that DNS control equates to domain ownership.
The targeting of Lebanon’s Finance Ministry was strategically significant. The ministry handles the country’s fiscal policy, tax administration, customs operations, and international financial relationships.
Email communications within and from the ministry could contain budget deliberations, tax policy discussions, sanctions-related correspondence, international loan negotiations, and communications with institutions like the IMF and World Bank.
For an intelligence service interested in Lebanon’s financial decision-making and international economic relationships, the Finance Ministry webmail was arguably the single highest-value email target in the Lebanese government.
The compromise of Middle East Airlines’ email systems, while less immediately obvious as an intelligence target, served complementary purposes.
MEA is Lebanon’s flag carrier airline, and its corporate email systems would contain passenger manifests, flight schedules, crew assignments, and commercial correspondence.
For an intelligence agency, airline data provides insight into the travel patterns of individuals of interest, and corporate email may reveal upcoming flight routes, security procedures, and VIP passenger arrangements.
Cisco Talos’s initial disclosure did not attribute the campaign to a specific threat actor, but subsequent research by FireEye (now Mandiant) and other firms linked DNSpionage to OilRig/APT34, an Iranian state-sponsored espionage group known for targeting government and critical infrastructure entities across the Middle East.
The attribution was based on infrastructure overlaps, malware code similarities, and targeting patterns consistent with Iranian intelligence priorities.
A broader investigation by FireEye in January 2019 revealed that DNSpionage was part of a wider campaign that also targeted government domains in the UAE and other Middle Eastern countries.
The DNS hijacking technique used in DNSpionage was not unique to this campaign.
In January 2019, the U.S. Department of Homeland Security issued Emergency Directive 19-01, ordering all federal agencies to audit their DNS records and implement additional DNS security controls in response to a wave of DNS hijacking attacks attributed to Iranian actors.
This directive-unprecedented in its urgency-underscored the severity of DNS manipulation as a threat vector and the global scope of the campaign of which the Lebanese targeting was one component.
## Regulatory Analysis
The DNSpionage campaign against Lebanon’s Finance Ministry occurred in October-November 2018, just weeks after the enactment of Law No. 81 on Electronic Transactions and Personal Data on October 10, 2018. The law was technically in effect, but no implementing regulations had been issued, no DPA had been established, and no government agency had begun the process of compliance.
The law existed in name only.
Under Law No. 81, the Ministry of Finance, as a data controller processing the personal data of employees and citizens who interact with the ministry, had obligations to implement appropriate security measures to protect personal data.
The compromise of the ministry’s email system through DNS hijacking represents a failure to secure a critical communication channel.
However, it is important to note that the vulnerability exploited was not in the ministry’s own infrastructure but in the DNS infrastructure managed by the domain registrar or hosting provider.
This raises questions about the scope of a data controller’s responsibility for the security of third-party infrastructure upon which its services depend.
In a jurisdiction with a functioning DPA, the DNS hijacking of a government ministry’s email system would trigger a mandatory investigation.
The DPA would assess whether the ministry had implemented DNS security measures such as DNSSEC (Domain Name System Security Extensions), which cryptographically signs DNS records to prevent unauthorized modifications.
The DPA would also evaluate whether the ministry had monitoring in place to detect unauthorized changes to its DNS records, and whether the ministry had implemented email security measures such as DMARC, DKIM, and SPF that could have provided additional layers of protection against email interception.
Without a DPA, none of these assessments occurred. The Lebanese government never publicly acknowledged the compromise of the Finance Ministry’s email system. No investigation into the scope of the credential theft was announced.
No notification was provided to ministry employees whose credentials were stolen or to citizens whose communications with the ministry may have been intercepted. The incident passed with no regulatory consequence whatsoever-a perfect illustration of law without enforcement.
The cross-border attribution to an Iranian APT group adds complexity that Lebanon’s regulatory framework is wholly unequipped to address. Even if a DPA existed, it would have no mechanism to investigate or sanction a foreign state-sponsored threat actor.
The appropriate response would be a coordinated diplomatic and intelligence effort, but Lebanon’s complex political relationship with Iran-Hezbollah, an Iranian proxy, is a dominant force in Lebanese politics-made any official attribution or protest politically impossible.
The DNSpionage campaign against Lebanon thus existed in a perfect storm of regulatory, political, and institutional failure.
## What Should Have Been Done
The DNSpionage attack was preventable through the implementation of DNS security measures that were well-established best practices in 2018. The most critical control would have been DNSSEC (Domain Name System Security Extensions), which adds cryptographic signatures to DNS records, making unauthorized modifications detectable by resolving servers.
Had finance.gov.lb implemented DNSSEC, the fraudulent DNS records created by the attackers would have failed signature validation, and resolving servers that validated DNSSEC would have refused to accept the manipulated records.
Registry lock services should have been enabled for critical government domains. Registry locks prevent any changes to domain DNS records without out-of-band verification, typically requiring a phone call to the registrar with multi-factor identity confirmation.
For domains as sensitive as finance.gov.lb, registry lock should be considered a mandatory security control. The cost is negligible, and the protection against DNS hijacking is significant.
Certificate Transparency (CT) monitoring should have been in place to detect the issuance of unauthorized TLS certificates for government domains. When the attackers obtained Let’s Encrypt certificates for the hijacked domains, these certificates were logged in public CT logs.
Automated monitoring of CT logs for certificates issued for government domains would have triggered an immediate alert, enabling rapid detection of the DNS hijacking even if other monitoring failed.
Multi-factor authentication for email access would have significantly reduced the impact of credential interception.
Even with the man-in-the-middle position, the attackers would have been unable to access email accounts if login required a second factor such as a hardware security key or time-based one-time password.
For government email systems handling sensitive communications, FIDO2/WebAuthn hardware security keys provide the strongest protection against phishing and man-in-the-middle attacks because they validate the authenticity of the server before completing authentication.
The Finance Ministry should have implemented continuous monitoring of its DNS records, comparing the actual DNS resolution against expected values at regular intervals.
Simple automated scripts that query DNS and alert on unexpected changes would have detected the hijacking within minutes or hours rather than allowing it to persist for days or weeks.
Combined with a tested incident response plan for DNS-related security events, this monitoring would have enabled rapid containment.
At the national level, Lebanon’s government should have established a centralized
DNS security policy for all .gov.lb domains, mandating DNSSEC, registry locks, CT
monitoring, and regular DNS audits. The Finance Ministry was not the only potential
target-any Lebanese government domain could be subjected to the same attack.
A national DNS security standard would provide baseline protection for all government
digital services.
Email security protocols should have been implemented as a complementary layer of
defense. DMARC (Domain-based Message Authentication, Reporting & Conformance),
DKIM (DomainKeys Identified Mail), and SPF (Sender Policy Framework) records provide
authentication mechanisms that can detect when email is being routed through
unauthorized servers. While these protocols primarily protect against email spoofing
rather than DNS-level interception, their presence would have created additional
indicators of compromise that security monitoring could have detected.
The DNSpionage case also highlights the need for government agencies to migrate away
from traditional email authentication and toward phishing-resistant authentication
methods. Even if the DNS hijacking had been detected immediately, the fact that
credentials were transmitted in a format susceptible to interception reveals a
fundamental architectural weakness. Modern zero-trust architectures that implement
mutual TLS authentication, certificate-based authentication, or FIDO2 hardware
tokens would prevent credential interception even in a man-in-the-middle scenario,
because the authentication material either cannot be replayed or requires physical
possession of a hardware device.
The timing of DNSpionage-just weeks after Law No. 81 was enacted-is a
painful illustration of the gap between legislative aspiration and operational reality.
The Lebanese parliament had just passed a data protection law, yet the country’s
own Finance Ministry was being silently wiretapped through its email system. The
juxtaposition underscores that laws alone do not provide security. Operational
cybersecurity capability, institutional readiness, and actual enforcement mechanisms
are what protect citizens’ data. Lebanon had none of these in November 2018,
and the situation has not materially improved since.
DNSpionage demonstrated that a foreign intelligence service could intercept the Lebanese Finance Ministry’s email communications through DNS manipulation, obtain fraudulent TLS certificates to mask the attack, and exfiltrate credentials and email content without detection.
Lebanon’s Law No. 81 had been enacted just weeks earlier but had no enforcement mechanism, no DPA, and no implementing regulations. The government never publicly acknowledged the compromise.
When a country’s own finance ministry can be silently wiretapped through its email system and the only disclosure comes from a foreign cybersecurity firm, the gap between law and reality is not a gap-it is a chasm.