Domain registration hijacking
Domain Registration Hijacking is the act of changing the registration of a domain name without the permission of the original registrant. 
APT1 hijacked FQDNs associated with legitimate websites hosted by hop points. Mandiant considers them to be "hijacked" since they were originally registered for a legitimate reason but are used by APT1 for malicious purposes.
DetectionDetectable by Common Defenses (Yes/No/Partial): No
Explanation: Generally not easily detectable unless domain registrar provides alerting on any updates.
Difficulty for the AdversaryEasy for the Adversary (Yes/No): Yes
Explanation: Requires adversary to gain access to an email account for person listed as the domain registrar/POC. The adversary can then claim that they forgot their password in order to make changes to the domain registration. Other possibilities include social engineering a domain registration help desk to gain access to an account or take advantage of renewal process gaps.
- ICANN Security and Stability Advisory Committee. (2005, July 12). DOMAIN NAME HIJACKING: INCIDENTS, THREATS, RISKS, AND REMEDIAL ACTIONS. Retrieved March 6, 2017.