Muddling Meerkat Group Suspected of Espionage via Great Firewall of China

Infoblox, a provider of cloud networking and security solutions, has discovered a highly skilled Chinse State threat actor known as “Muddling Meerkat.” This actor appears to be able to control the Great Firewall of China (GFW), a previously undisclosed phenomenon.

This group operates through the Domain Name System (DNS), a critical internet infrastructure component. In a joint research involving undisclosed security vendors, threat researchers, an independent non-profit corporation, Merit Network, and DomainTools, researchers revealed that Muddling Meerkat operates through the Domain Name System (DNS), a critical internet infrastructure component, and has remained under the radar since 2019.

“Muddling Meerkat operations are complex and demonstrate that the actor has a strong
understanding of DNS, as well as internet savvy” Infoblox’s Threat Intelligence Team wrote in the report.

For your information, Meerkat is a mongoose species known for its cleverness, persistence, and ferocity despite its small size. Muddling Meerkat activity is characterized by its “popping up and down” over time and location, similar to meerkats from their burrows.

Here’s what makes Muddling Meerkat unique:

1. DNS Expertise: Their operations demonstrate a deep understanding of DNS, uncommon among most threat actors. This highlights the growing weaponization of DNS for malicious purposes.
2. Great Firewall Control: Muddling Meerkat manipulates China’s Great Firewall (GFW), the system controlling internet access within China. This ability to influence a national-level infrastructure raises serious concerns.
3. False MX Records: A key tactic involves generating false MX (mail exchange) records from Chinese IP addresses for specific domains. This behaviour has never been observed before and suggests a direct connection with the GFW operators.
4. Global Reach: Muddling Meerkat leverages open DNS resolvers worldwide, creating a vast network to conduct their activities, potentially for reconnaissance or laying the groundwork for future attacks.
5. Unclear Motive: While the ultimate goal remains unclear, Infoblox experts suggest it could be information gathering or setting the stage for a large-scale DNS denial-of-service (DDoS) attack.

This research validates the threat posed by the Chinese Communist Party (CCP) to the US’s critical infrastructure. The FBI calls CCP a “broad and unrelenting” hybrid threat involving crime, counterintelligence, and cybersecurity.

According to FBI Director Christopher Wray, this threat is “driven by the CCP’s aspirations to wealth and power,” adding that the PRC wants to “seize economic development in the areas most critical to tomorrow’s economy.”

Muddling Meerkat is a skilled actor, demonstrating their sophistication in DNS-based attacks and ability to manipulate the Great Firewall. Implementing advanced DNS security measures is crucial to understand and defend against this evolving threat.

1. Why are Google and Facebook banned in China?
2. Great Firewall of China at Work, Apple News Blocked
3. Chinese Man Who Sold VPNs Gets 9 Months Prison Sentence
4. ‘Great Cannon’ of China Blocks Websites Like No One Else Can
5. Chinese Great Cannon resurfaces against Hong Kong protestors
6. Cyberattacks Surge 325% in Philippines Amid South China Sea Standoff