Hazy Hawk Hijacks DNS to Target CDC, Fortune 500 Firms

A newly identified threat actor known as “Hazy Hawk” is exploiting misconfigured Domain Name System (DNS) records to hijack subdomains tied to abandoned cloud services, according to researchers at Infoblox. Active since at least December 2023, Hazy Hawk targets high-profile organizations—including government agencies, Fortune 500 companies, and universities—by leveraging a technique called CNAME hijacking.

The group capitalizes on leftover DNS entries pointing to decommissioned services such as Amazon S3 and Microsoft Azure, enabling them to register the same resources and gain control of legitimate subdomains. Victims include the U.S. Centers for Disease Control and Prevention, Berkeley.edu, and UNICEF.

Once in control, Hazy Hawk hosts scams and malware, often using search engine optimization and content stolen from trusted websites to deceive users. The campaign’s infrastructure includes traffic distribution systems that personalize attacks. Infoblox warns that subdomain hijacking is a growing threat, urging organizations to strengthen DNS hygiene and cloud resource management.