Sophos Cloud Optix
Slightly more than a week after the Syrian Electronic Army (SEA) redirected readers of Time, CNN and The Washington Post through its hack of Outbrain, the group continued its online assault of Western media companies by taking down social media giant Twitter and “newspaper of record” The New York Times.
The methods are unknown, but some basic detective work suggests they are continuing their previous work of using phishing to compromise trusted third parties of major brands, rather than attacking the targets directly.
Both The New York Times and Twitter purchase their internet domain names from a company called Melbourne IT Ltd, which does business as Internet Names Worldwide.
This appears to be the source of the trouble.
Starting at about 2013-08-27T12:00-4 (noon on the US East Coast), the first signs of trouble for The New York Times began.
The name server records for Internet Names Worldwide were redirected to M.SEA.SY, MOD.SEA.SY and SEA.SY, servers under the control of the Syrian Electronic Army.
This did not impact most internet users immediately, however, as DNS records for high traffic sites are commonly cached for extended periods of time – in the case of the Times, just short of 23 hours.
If we dig a little deeper, we see the IP address of the new name server, 141.105.64.37, which is owned by an ISP in Moscow, Russia.
This ISP hosts both the SEA’s website as well as other controversial sites like Qatar Leaks.
Just a short while later Twitter started experiencing the same issues. Twitter’s records at Internet Names Worldwide were altered in a similar way to those at The Times.
It looks as though the hack was meant merely to divert visitors to the SEA’s own site, but (in a fit of almost-amusing irony) produced enough redirected traffic that the SEA effectively DoSed itself, and the site went down.
These incidents demonstrate a sad truth: Security is hard.
Media organizations are well aware of the previous antics of the Syrian Electronic Army and have worked hard to raise their game.
Employees at these companies have been trained to watch out for phishing attacks and be more suspicious of requests for information.
While these reactions are appropriate, they are not enough. You are only as strong as your weakest link, which in this case appears to be an external internet service provider.
Understanding all of the bits and pieces your organization relies on to do its work is only the first step in assessing your “hackability”.
I hear from many IT professionals at conferences, seminars and customer engagements that their management wants to know that they are “secure”. The answer they want is an answer you really shouldn’t give.
You can reduce your risk, though.
By raising awareness among your employees about phishing attacks, these incidents can help demonstrate the real risks of being tricked.
Use it as a reminder to everyone about proper authentication practices at your organization.
You should also work with your service providers to find out what they are doing to protect your organization against attacks on their infrastructure.
Note: As of 2013-08-27T23:25Z, Twitter’s Indian domain name (twitter.co.in) is still under the control of the Syrian Electronic Army. It is advisable to use twitter.com until Twitter regains control.
Image of a house-lock courtesy of Shutterstock.
So, this affects anyone who has their domains registered through Melbourne, or just certain sites? I ask, because they are my registrar–although my host is a different provider altogether.
They were well and truly owned by the sound of it. If your records weren't altered (and they likely were not, you were not the target) you are probably fine. It would be prudent to change your login details just in case a password database was stolen.
The bigger issue is why an organization like Melbourne is not using two-factor authentication for critical management tools. Might be a question worth asking them.
What hasn't really been reported is that numerous smaller websites were also taken down because of this attack. The website that hosts my podcast was hacked by them, and redirected to some radio station in india (the also deleted everything from the server. Since I don't run the website, I'm not sure how this happened)
"Note: As of 2013-08-27T23:25Z, Twitter's Indian domain name (twitter.co.in) is still under the control of the Syrian Electronic Army. It is advisable to use twitter.com until Twitter regains control."
Thanks for the advisory, Chet. I'll ignore the Twitter button on this page until NakedSecurity advises otherwise. 😉
The NYT has been unavailable to me for just over 24 hours now. I have cleared my cache.
Why would it take so long to fix?
It appears there has still been some shenanigans happening throughout the week. All that is clear is that Melbourne IT don't seem to have everything under control properly. Although I can get to the Times website, I still see a Syrian Electronic Army IP in their WHOIS data:
Server Name: NYTIMES.COM
IP Address: 141.105.64.37
Registrar: MELBOURNE IT, LTD. D/B/A INTERNET NAMES WORLDWIDE
Whois Server: whois.melbourneit.com
Referral URL: http://www.melbourneit.com