Syrian Electronic Army brings down Twitter and The New York Times through domain name provider hack

Filed Under: Denial of Service, Featured, Law & order, Phishing, Twitter

T170Slightly more than a week after the Syrian Electronic Army (SEA) redirected readers of Time, CNN and The Washington Post through its hack of Outbrain, the group continued its online assault of Western media companies by taking down social media giant Twitter and "newspaper of record" The New York Times.

The methods are unknown, but some basic detective work suggests they are continuing their previous work of using phishing to compromise trusted third parties of major brands, rather than attacking the targets directly.

Both The New York Times and Twitter purchase their internet domain names from a company called Melbourne IT Ltd, which does business as Internet Names Worldwide.

This appears to be the source of the trouble.

Starting at about 2013-08-27T12:00-4 (noon on the US East Coast), the first signs of trouble for The New York Times began.

The name server records for Internet Names Worldwide were redirected to M.SEA.SY, MOD.SEA.SY and SEA.SY, servers under the control of the Syrian Electronic Army.

NYTWHOIS500

This did not impact most internet users immediately, however, as DNS records for high traffic sites are commonly cached for extended periods of time - in the case of the Times, just short of 23 hours.

If we dig a little deeper, we see the IP address of the new name server, 141.105.64.37, which is owned by an ISP in Moscow, Russia.

SEAISPWHOIS

This ISP hosts both the SEA's website as well as other controversial sites like Qatar Leaks.

Just a short while later Twitter started experiencing the same issues. Twitter's records at Internet Names Worldwide were altered in a similar way to those at The Times.

It looks as though the hack was meant merely to divert visitors to the SEA's own site, but (in a fit of almost-amusing irony) produced enough redirected traffic that the SEA effectively DoSed itself, and the site went down.

These incidents demonstrate a sad truth: Security is hard.

Media organizations are well aware of the previous antics of the Syrian Electronic Army and have worked hard to raise their game.

Employees at these companies have been trained to watch out for phishing attacks and be more suspicious of requests for information.

While these reactions are appropriate, they are not enough. You are only as strong as your weakest link, which in this case appears to be an external internet service provider.

Understanding all of the bits and pieces your organization relies on to do its work is only the first step in assessing your "hackability".

shutterstock_HouseSecure170I hear from many IT professionals at conferences, seminars and customer engagements that their management wants to know that they are "secure". The answer they want is an answer you really shouldn't give.

You can reduce your risk, though.

By raising awareness among your employees about phishing attacks, these incidents can help demonstrate the real risks of being tricked.

Use it as a reminder to everyone about proper authentication practices at your organization.

You should also work with your service providers to find out what they are doing to protect your organization against attacks on their infrastructure.

Note: As of 2013-08-27T23:25Z, Twitter's Indian domain name (twitter.co.in) is still under the control of the Syrian Electronic Army. It is advisable to use twitter.com until Twitter regains control.

Image of a house-lock courtesy of Shutterstock.

, , , , , , , , ,

You might like

6 Responses to Syrian Electronic Army brings down Twitter and The New York Times through domain name provider hack

  1. So, this affects anyone who has their domains registered through Melbourne, or just certain sites? I ask, because they are my registrar--although my host is a different provider altogether.

    • Chester Wisniewski · 335 days ago

      They were well and truly owned by the sound of it. If your records weren't altered (and they likely were not, you were not the target) you are probably fine. It would be prudent to change your login details just in case a password database was stolen.

      The bigger issue is why an organization like Melbourne is not using two-factor authentication for critical management tools. Might be a question worth asking them.

      • What hasn't really been reported is that numerous smaller websites were also taken down because of this attack. The website that hosts my podcast was hacked by them, and redirected to some radio station in india (the also deleted everything from the server. Since I don't run the website, I'm not sure how this happened)

  2. Nigel · 335 days ago

    "Note: As of 2013-08-27T23:25Z, Twitter's Indian domain name (twitter.co.in) is still under the control of the Syrian Electronic Army. It is advisable to use twitter.com until Twitter regains control."

    Thanks for the advisory, Chet. I'll ignore the Twitter button on this page until NakedSecurity advises otherwise. ;-)

  3. Bart · 335 days ago

    The NYT has been unavailable to me for just over 24 hours now. I have cleared my cache.

    Why would it take so long to fix?

    • Chester Wisniewski · 334 days ago

      It appears there has still been some shenanigans happening throughout the week. All that is clear is that Melbourne IT don't seem to have everything under control properly. Although I can get to the Times website, I still see a Syrian Electronic Army IP in their WHOIS data:

      Server Name: NYTIMES.COM
      IP Address: 141.105.64.37
      Registrar: MELBOURNE IT, LTD. D/B/A INTERNET NAMES WORLDWIDE
      Whois Server: whois.melbourneit.com
      Referral URL: http://www.melbourneit.com

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

Chester Wisniewski is a Senior Security Advisor at Sophos Canada. He provides advice and insight into the latest threats for security and IT professionals with the goal of providing clear guidance on complex topics. You can follow Chester on Twitter as @chetwisniewski, on App.net as Chester, Chester Wisniewski on Google Plus or send him an email at chesterw@sophos.com.