China’s Muddling Meerkat takes over DNS to map the internet

April 30, 2024
1 min read

TLDR:

  • A cyber threat named Muddling Meerkat, likely affiliated with China, has been observed engaging in sophisticated DNS activities since October 2019.
  • The threat actor uses DNS open resolvers to send queries from Chinese IP space, triggering DNS queries for MX and other record types to domains not owned by them but residing under well-known top-level domains.

In a report by Infoblox, the cloud security firm describes the unique tactics employed by Muddling Meerkat, such as the generation of fake DNS MX records from Chinese IP addresses, a behavior not consistent with the known behavior of the Great Firewall (GFW). The threat actor’s activities raise concerns about potential internet mapping efforts or research being conducted on a global scale.

With agencies like CISA and the FBI warning about undetected Chinese prepositioning operations, the full scope and motivation behind Muddling Meerkat’s operations remain unclear. Despite its sophisticated DNS operations, the exact goal of the threat actor is still a mystery, prompting concerns over the extent of their activities and the need for heightened vigilance in the cybersecurity landscape.

Latest from Blog

EU push for unified incident report rules

TLDR: The Federation of European Risk Management Associations (FERMA) is urging the EU to harmonize cyber incident reporting requirements ahead of new legislation. Upcoming legislation such as the NIS2 Directive, DORA, and