A technique for Internet Censorship Circumvention: Domain Fronting
Mandiant and FireEye reported that they discovered the APT29 group supported by the Russian nation-state that has been using domain fronting for over two years. Mandiant has been observing for at least two years how Russian nation-state attackers use domain-fronting techniques and clandestine backdoor access in victim environments.
Domain fronting is a relatively new (ish) technique that allows attackers to conceal command and control traffic on infected computers by disguising themselves as traffic from trusted servers hosted on content delivery networks (CDNs).
You may have heard of domain fronting in the context of circumventing state censorship of popular messaging apps like Signal and Telegram. Domain fronting enables bypassing the censorship by resource blocking, DPI, DNS filtering, and IP blocking, but beneath the hood, it relies on CDNs hosting multiple domains. Hunstad says that new technologies can revive certain easy-to-create conditions and apps as domain fronts, creating new types of front domains that blind Internet censors and firewalls to the true purpose of network…
