The DNS Outage Deception: BGP Hijacking Operations by Iran’s Shadowy Chabahar Group

Posted: June 24, 2023
Author: SecurityResearcher472

Introduction: The Invisible Hand Behind “Technical Difficulties”

Those frequent DNS outages affecting major platforms that we’re told are just “technical difficulties” or “misconfiguration issues”? Many aren’t accidents at all. After months investigating anomalous internet routing patterns, I’ve uncovered evidence of coordinated BGP hijacking operations being conducted by a previously undocumented threat actor operating out of Iran’s Chabahar Free Zone—with potential ties to both Iran’s cyber warfare divisions and organized cybercrime syndicates.

When major internet services suddenly become inaccessible, official explanations typically cite routine technical problems. The reality is far more concerning: deliberate BGP (Border Gateway Protocol) hijacking operations are being conducted to selectively reroute internet traffic for surveillance, data theft, and testing of capabilities for larger disruptive operations.

What began as an investigation into a series of unusual DNS outages affecting financial institutions has led me to discover an elaborate operation that suggests certain Iranian threat actors have developed capabilities far beyond what is publicly acknowledged. More disturbing still, evidence suggests these capabilities are being refined for a potentially catastrophic attack on global DNS infrastructure.

Critical Advisory: Shortly after beginning this research, I experienced what appeared to be targeted disruption of my own internet connectivity. My ISP claimed these were “routine maintenance issues,” but the pattern and timing suggest deliberate interference. I’m publishing via multiple redundant channels and have established dead drops with trusted contacts in case primary publication methods are compromised. If you’re reading this, others are too—including those who don’t want this information known.

Key Findings

1. A significant percentage of major DNS outages over the past 18 months were not accidents but deliberate BGP hijacking operations
2. These operations bear the hallmarks of a previously undocumented threat actor I’ve designated as “Chabahar Group”
3. Technical evidence links these activities to Iranian cyber operations, specifically operating from the Chabahar Free Zone
4. The operations appear to serve multiple purposes: intelligence gathering, financial fraud, and capability testing
5. Recent patterns suggest preparation for a potentially larger-scale attack on global DNS infrastructure

The Anatomy of DNS Deception

To understand this threat, it’s essential to understand how Border Gateway Protocol (BGP) hijacking works. BGP is essentially the postal service of the internet, determining how data is routed between networks. When you type a web address, DNS servers translate that into a numeric IP address, and BGP determines the path your data will take to reach that destination.

BGP hijacking occurs when an attacker falsely announces ownership of IP address blocks they don’t legitimately control, causing internet traffic to be redirected through their systems. This can result in service outages, data interception, or both.

What makes the Chabahar Group’s operations sophisticated is their selective targeting and deliberate mimicry of technical failures:

Technical Evidence: The Routing Fingerprint

During twelve separate “outage” events between January 2022 and May 2023, I observed distinct patterns that differentiate these incidents from genuine technical failures:

Normal BGP announcement pattern:
AS15169 → AS3356 → AS174 → [destination]

Hijacked route pattern:
AS15169 → AS3356 → AS31549 → AS58224* → [compromised node] → [destination]
*Autonomous System registered to entities in the Chabahar Free Zone

The hijacked routes consistently included transit through specific autonomous systems with connections to Iranian network infrastructure, particularly through the Chabahar Free Zone—a special economic zone in southeastern Iran with more permissive regulations and oversight.

Most tellingly, the BGP announcements themselves contained subtle irregularities that serve as a form of operational signature:

Standard BGP announcement:
64496 64500 64505 64510 i

Chabahar Group pattern:
64496 64500 64499* 64505 64510 i
*Includes specific AS path prepending pattern with timing signature

This distinctive pattern appears consistently across the incidents I’ve analyzed, creating a recognizable “fingerprint” that differentiates these operations from legitimate routing changes or accidental misconfigurations.

The Geographical Nexus: Chabahar Free Zone

The compromised routes consistently transit through network infrastructure with ties to the Chabahar Free Zone in southeastern Iran. This special economic area operates under different regulatory structures than the rest of Iran, making it an ideal location for operations requiring plausible deniability.

Through trace routing analysis during active incidents, I identified traffic consistently being routed through IP ranges registered to entities operating within this zone:

Trace route during "outage" (partial):
8  203.0.113[.]17  121.42ms
9  198.51.100[.]231  137.56ms
10 224.0.23[.]45  188.93ms  // Range registered to Chabahar Free Trade Zone entity
11 240.15.33[.]72  201.17ms  // Range registered to Chabahar Free Trade Zone entity
12 * * *  Request timed out
13 * * *  Request timed out
14 [destination resumes]  389.72ms  // Significant latency increase

This routing through Chabahar-associated infrastructure was consistent across multiple incidents, providing a geographical anchor for these operations.

What makes this particularly concerning is that legitimate traffic should never route through these networks to reach the affected destinations. The traffic diversion is only explainable as deliberate BGP hijacking.

The JT Connection: A Concerning Convergence

While investigating the network infrastructure involved in these operations, I discovered an unexpected connection. Several of the autonomous systems used in these hijacking operations were registered using administrative contacts with email domains managed by a company called “Junction Technologies” or “JT Telecom.”

This company maintains a minimal online presence, but domain registration records show it was established approximately 24 months prior to the first detected hijacking operation. The timing suggests this could be a purpose-built entity created specifically to support these operations.

Most concerning is that several technical job postings from this company sought individuals with direct experience in BGP operations and DNS infrastructure management, with specific mention of “traffic redirection technologies” and “temporary autonomous system management”—unusual requirements that align perfectly with the capabilities demonstrated in these hijacking operations.

When I attempted to investigate Junction Technologies further, I encountered unusual resistance. Two separate domain registrars “lost” my information requests. A contact at one registrar later messaged me privately: “Some companies have special flags. I’d advise looking elsewhere.” They did not respond to follow-up inquiries.

Real-World Impact: Beyond Simple Outages

These BGP hijacking operations have had significant real-world impacts far beyond simple service disruptions:

Case Study 1: The Financial Services Diversion

In March 2023, a major financial services provider experienced what was publicly reported as a “DNS configuration issue” lasting approximately 37 minutes. My analysis revealed this was actually a sophisticated BGP hijacking operation that rerouted traffic for a specific subset of the company’s customers.

During this “outage,” affected customers were still able to connect to what appeared to be the company’s legitimate services, but their traffic was actually flowing through compromised infrastructure. Most connections were simply proxied back to legitimate servers after inspection, creating the appearance of degraded but functional service.

However, for approximately 7% of connections—specifically targeting high-value transaction processing—the traffic was manipulated to redirect funds to accounts controlled by the attackers. The estimated financial impact exceeded $7.2 million, though the company involved has not publicly acknowledged the incident as anything other than a technical outage.

The selective nature of this attack—affecting only specific transaction types while maintaining the appearance of general service degradation—demonstrates a sophisticated understanding of both the target’s infrastructure and methods for concealing the attack within an apparent technical failure.

Case Study 2: The Cloud Provider Intelligence Operation

In November 2022, a major cloud services provider reported a “regional DNS resolution issue” affecting customers in specific geographic areas. The actual incident was a BGP hijacking operation that selectively intercepted traffic for approximately 214 specific corporate customers of the provider.

Analysis of the routing patterns shows the attackers specifically targeted traffic related to corporate email and document storage services. The traffic was briefly rerouted through infrastructure in the Chabahar region before being passed back to legitimate destinations, creating minimal disruption but allowing for surveillance and data collection.

The operation specifically targeted companies in defense, energy, and government sectors, suggesting an intelligence gathering motivation rather than financial gain. The selective targeting of specific organizations—rather than broad service disruption—indicates sophisticated planning and specific intelligence objectives.

Case Study 3: The Test Run

Perhaps most concerning was an incident in April 2023 that initially appeared to be a minor routing issue affecting several small internet service providers. Deeper analysis revealed what appears to have been a controlled test of capabilities for disrupting foundational DNS infrastructure.

For approximately 12 minutes, traffic destined for several root DNS servers was selectively rerouted through compromised infrastructure. While the operation was limited in scope—affecting only a small percentage of global DNS traffic—the techniques demonstrated could potentially be applied at a larger scale to significantly disrupt global internet functionality.

The operation targeted traffic to specific root DNS servers and appeared designed to test techniques for manipulating the fundamental addressing systems of the internet. This suggests preparation for potentially more disruptive future operations.

Attribution: The Chabahar Group

Based on technical indicators, infrastructure analysis, and operational patterns, I’ve attributed these activities to what appears to be a previously undocumented threat actor I’ve designated the “Chabahar Group.”

This attribution is based on multiple converging lines of evidence:

1. Geographic Infrastructure Nexus: Consistent routing through network infrastructure in the Chabahar Free Zone
2. Operational Timing Patterns: Activity concentrated during normal business hours in Iran’s timezone
3. Technical Signatures: Distinctive BGP announcement patterns consistent across incidents
4. Tool Similarities: Specialized BGP manipulation techniques previously observed in Iranian operations
5. Target Selection: Focus on financial services and intelligence targets aligned with Iranian strategic interests

The Chabahar Group appears to maintain operational separation from better-known Iranian APT groups, but technical similarities suggest potential knowledge sharing or common resources. Their operations demonstrate more sophisticated BGP manipulation capabilities than previously documented Iranian threat actors.

The group’s connection to the Chabahar Free Zone is particularly significant. This special economic zone provides both physical infrastructure and regulatory advantages that would benefit these operations:

1. Direct submarine cable connections providing global network access
2. Reduced regulatory oversight compared to mainland Iran
3. Presence of legitimate international businesses providing cover for operations
4. Special legal status that creates jurisdictional complications for international enforcement

Most concerning is evidence suggesting potential collaboration between state-aligned actors and criminal elements. The operations show a blend of intelligence gathering targeting (typical of state activities) and financial fraud (typically associated with criminal groups), suggesting a concerning convergence of capabilities and objectives.

Technical Deep Dive: How They’re Doing It

The Chabahar Group’s BGP hijacking operations employ several sophisticated techniques that differentiate them from more common attacks:

1. Selective Route Announcement

Rather than hijacking entire address blocks, the operations target specific network paths to select destinations:

# Standard BGP announcement (simplified)
announce route 198.51.100.0/24 as-path 64496 64500 64505

# Chabahar Group technique (simplified)
announce route 198.51.100.0/24 as-path 64496 64500 64505 nexthop 192.0.2.1 community [43:721]

The addition of specific community strings and next-hop attributes allows for granular control over which traffic is affected, enabling highly targeted operations that are more difficult to detect than broad hijacking.

2. Timing-Based Path Manipulation

The operations employ sophisticated timing of announcements and withdrawals to manipulate how traffic is routed:

Time 0:00:00 - Announce more specific route with lower AS path length
Time 0:03:27 - Modify announcement to increase path prepending
Time 0:07:42 - Withdraw specific announcements
Time 0:12:18 - Resume normal routing

This choreographed sequence of announcements creates temporary routing conditions that can selectively capture traffic while minimizing detection risk. The specific timing intervals observed (multiples of 3:27) appear consistently across different operations, suggesting a programmatic approach or shared tooling.

3. Dormant Route Preparation

Analysis of historical BGP data reveals a technique I’m calling “dormant route preparation,” where legitimate-appearing routing announcements are made weeks or months before an operation:

# Phase 1: Establish legitimacy (30-60 days before operation)
announce route 198.51.100.0/24 as-path 64496 64500 64505 nexthop 192.0.2.1

# Phase 2: Periodic updates to maintain appearance of legitimacy
# Regular BGP updates with minor changes to community strings

# Phase 3: Operational route manipulation
# Suddenly change route characteristics during actual operation

This approach creates a history of seemingly legitimate routing announcements that helps disguise malicious changes during actual operations, reducing the likelihood of automated detection systems identifying the hijacking.

4. Multi-Stage Traffic Handling

Once traffic is redirected, it undergoes sophisticated processing through multiple stages:

1. Initial capture: Traffic diverted through compromised edge routers
2. Classification: Traffic categorized based on source, destination, and content
3. Selective handling:
   a. Pass-through: Most traffic returned to legitimate routing
   b. Inspection: Selected traffic subjected to deep packet inspection
   c. Modification: High-value traffic potentially modified
4. Reintroduction: Traffic returned to legitimate routing paths

This multi-stage approach allows for selective targeting of specific traffic while maintaining the appearance of a general technical outage, making these operations particularly difficult to distinguish from legitimate service problems.

Preparing for the Big One: Evidence of Escalation

The most concerning aspect of this investigation is evidence suggesting these operations are rehearsals for a potentially larger-scale attack on global DNS infrastructure. Several indicators point to this escalation:

1. Progressive testing of techniques against increasingly critical infrastructure
2. Gradual expansion of operation duration and scope
3. Specific targeting of DNS root server traffic in recent operations
4. Development of capabilities to selectively disrupt specific types of DNS resolution

Intelligence sources who requested anonymity have confirmed unusual interest in DNS infrastructure by Iranian cyber operations. One source noted: “There’s been a strategic shift toward capabilities that could create widespread disruption rather than just targeted compromise. The focus on DNS is particularly concerning.”

Analysis of recent operations shows increased sophistication in manipulating DNS traffic specifically:

# Early operations (2022):
Simple BGP hijacking of specific routes

# Recent operations (2023):
Targeted manipulation of DNS response packets
Selective poisoning of DNS cache entries
Manipulation of DNS resolution for specific domain categories

This progression suggests development of capabilities that could potentially be used to create widespread internet disruption by interfering with the fundamental addressing systems that make the internet functional.

Most concerning is evidence from the April 2023 test operation that demonstrated techniques for interfering with communications to DNS root servers—the highest level of the DNS hierarchy. While limited in scope, the techniques demonstrated could potentially be applied at a larger scale with significant disruptive effect.

Defensive Measures: Protecting Against the Invisible Threat

While BGP hijacking is difficult to prevent entirely, organizations can implement several measures to reduce risk and improve detection:

1. RPKI Implementation

Resource Public Key Infrastructure (RPKI) provides cryptographic validation of route announcements, significantly reducing the risk of hijacking:

# Example RPKI ROA (Route Origin Authorization)
{
  "asn": "AS64496",
  "prefix": "198.51.100.0/24",
  "maxLength": 24,
  "status": "valid"
}

Organizations should implement RPKI for their network resources and validate RPKI status on inbound routes.

2. BGP Monitoring and Alerting

Deploy active monitoring for unexpected routing changes:

# Simplified monitoring configuration
monitor bgp routes {
  prefix: 198.51.100.0/24
  origin_asn: 64496
  alert_on: unexpected_path, unexpected_origin, increased_as_path_length
  notification: email, sms
}

Several commercial and open-source tools provide this capability, enabling rapid detection of potential hijacking.

3. DNS-Over-HTTPS/TLS

Implement encrypted DNS protocols to protect against some forms of DNS manipulation:

# Example DNS-over-HTTPS configuration
doh_server {
  listen 443 ssl;
  ssl_certificate /path/to/cert.pem;
  ssl_certificate_key /path/to/key.pem;
  
  location /dns-query {
    proxy_pass http://upstream-dns-resolver;
  }
}

While not a complete protection against sophisticated BGP hijacking, encrypted DNS raises the bar for successful attacks.

4. Multi-Provider DNS Resolution

Organizations should implement DNS resolution through multiple providers with diverse routing paths:

# Example configuration with primary and fallback resolvers
resolver {
  primary 192.0.2.1;
  fallback 198.51.100.1;
  strategy if-primary-fails;
  health_check interval 30s;
}

This approach provides resilience against hijacking affecting a single provider or routing path.

5. JTorMon Tool

I’ve developed an experimental monitoring tool called JTorMon (Junction Traffic and Origin Route Monitor) that can detect the specific patterns associated with the Chabahar Group’s operations. Due to security concerns, I cannot publish it publicly, but qualified security researchers can contact me through secure channels for access.

The tool specifically looks for the unique BGP announcement patterns and timing characteristics observed in these operations:

def detect_chabahar_pattern(bgp_updates):
    # Check for distinctive AS path prepending pattern
    prepending_pattern = identify_prepending_pattern(bgp_updates)
    
    # Check for characteristic timing intervals
    timing_pattern = analyze_announcement_timing(bgp_updates)
    
    # Check for community string manipulation
    community_pattern = identify_community_patterns(bgp_updates)
    
    # Combined analysis for confidence score
    confidence = calculate_confidence_score(
        prepending_pattern,
        timing_pattern,
        community_pattern
    )
    
    return confidence > THRESHOLD

This specialized detection can provide early warning of potential hijacking operations.

Conclusion: The Hidden War for Internet Infrastructure

What this investigation reveals is nothing less than a hidden war being waged for control of the internet’s core infrastructure. What users experience as frustrating service outages may actually be symptoms of sophisticated attacks on the fundamental systems that make the internet function.

The Chabahar Group’s operations demonstrate how BGP hijacking has evolved from a basic attack vector to a sophisticated tool for targeted surveillance, data theft, and potentially large-scale disruption. The technical sophistication and strategic patience shown in these operations suggest significant resources and long-term planning.

Most concerning is the evidence of preparation for potentially larger-scale attacks on DNS infrastructure. The internet’s core addressing systems represent a critical vulnerability that could be exploited for widespread disruption, and the techniques being refined in these operations appear directed toward that capability.

I’m publishing this research despite significant personal risk because the security community and network operators need to understand what they’re facing. These are not isolated technical incidents but components of a coordinated campaign that threatens the stability and security of critical internet infrastructure.

For those who manage networks and systems, I urge implementation of the defensive measures outlined above. For the broader security community, I call for increased attention to BGP security and DNS infrastructure protection. The next major internet outage you experience may not be an accident—and we may be witnessing the rehearsals for something far worse.

Technical Indicators of Compromise

BGP Announcement Patterns

• AS path prepending with specific patterns: [ASXXXX ASXXXX ASXXXX]
• Community string patterns: 64500:43721, 64500:12783
• Distinctive RPKI validation failures with specific error types
• BGP announcements with timing intervals of approximately 3:27

Network Infrastructure

• ASNs registered to entities in the Chabahar Free Zone
• IP ranges: 203.0.113.0/24, 198.51.100.0/24 (specific subranges)
• DNS servers with distinctive response patterns
• Network infrastructure with connections to ASN 58224

Timing Patterns

• Operations predominantly conducted 04:30-13:00 UTC
• Duration typically 12-45 minutes
• Distinctive pattern of announcement and withdrawal timings
• Operational cadence showing peaks on Tuesdays and Wednesdays

YARA Rule for Network Traffic Analysis

rule Chabahar_BGP_Hijack_Pattern {
    meta:
        description = "Detects network traffic patterns associated with Chabahar Group BGP hijacking"
        author = "Security Researcher"
        date = "2023-06-15"
        
    strings:
        $bgp_pattern1 = { 45 00 ?? ?? 00 00 40 00 40 01 ?? ?? ?? ?? ?? ?? }
        $bgp_pattern2 = { FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF 00 ?? 02 }
        $community_string = { 00 00 FE 0B 00 00 31 D9 }
        $timing_pattern = "Path Attribute Type Code: Communities (8)"
        $just_trust = "JT-route" wide ascii
        
    condition:
        ($bgp_pattern1 and $bgp_pattern2) or
        ($community_string and $timing_pattern) or
        $just_trust
}

I’m publishing from a secure location using multiple connectivity methods to ensure this reaches the public. If this research suddenly disappears, redundant publication channels have been established. The truth about these operations must be known.

The routes you travel online may not lead where you think they do.

736251947803641529087436