Security Experts:

How The Syrian Electronic Army Pwned Some of The Internet's Biggest Brands

The New York Times and Twitter are the latest online brands that have fallen victim to service-disrupting cyber attacks. 

The website for The New York Times was out of service for hours on Tuesday and into early Wednesday following the attacks which for a time redirected users to a malicious server controlled by the Syrian Electronic Army (SEA).

In addition to the New York Times, at least one domain operated by Twitter was affected by the attack, which caused problems for users trying to view images and photos on the service.

In the case of both attacks, neither utilized advanced hacking techniques to compromise servers or users’ systems via exploits or other means. In fact, the attacks were executed using simple phishing methods that enabled attackers to gain access to online accounts that controlled the domain name services (DNS) for the popular web sites.

The targeted domains are hosted at domain registrar, Melbourne IT. The attackers managed to compromise the customer accounts via successful phishing attacks, which enabled them to modify the name servers for NYTimes.com and twimg.com and hijack the sites.

Late Tuesday, Melbourne IT confirmed to SecurityWeek that a targeted phishing attack was used to gain access to the credentials of users of a Melbourne IT reseller account.  

“Melbourne IT is aware that an account that held multiple domain names was accessed on Melbourne IT's systems using a valid username and password for that account,” a company spokesperson told SecurityWeek in an emailed statement.

“The DNS records of several domain names on that account were changed - including nytimes.com,” the statement added.

Twitter issued the following update Tuesday evening in response to the domain compromise:

 “At 20:49 UTC, our DNS provider experienced an issue in which it appears DNS records for various organizations were modified, including one of Twitter’s domains used for image serving, twimg.com. Viewing of images and photos was sporadically impacted. By 22:29 UTC, the original domain record for twimg.com was restored.  No Twitter user information was affected by this incident.”

Marc Frons, chief information officer for The New York Times, said in a statement Tuesday afternoon that the outage was "the result of a malicious external attack by the Syrian Electronic Army “or someone trying very hard to be them.” Employees were warned to “be careful when sending e-mail communications until this situation is resolved.”

“Since the cache TTL on the [NYTimes.com Domain] was relatively short, shortly after the domain was revoked traffic largely stopped flowing to the malware infected sites,” Matthew Prince, CEO at CloudFlare explained in a blog post. “That did not mean all hacked sites came back online. In some places, DNS recursors continue to have the cached bad records. They will expire over the next 24 hours and traffic to sites will return to normal.”

Ironically, the Syrian Electronic Army made use of Twitter to brag about hacking the service the service the group actually uses to communicate with the outside world.

"Media is going down," a Tweet from the SEA Twitter account said, followed by "Twitter, are you ready?"

Not long after, another Tweet read: “Hi @Twitter, look at your domain, its owned by #SEA :) whois.domaintools.com/twitter.com pic.twitter.com/ck7brWtUhK”.

The attacks are assumed to be in protest to possible military action by the United States against Bashar al-Assad’s regime for alleged use of chemical weapons against civilians in the country's ongoing war.

While Melbourne IT did not share the specific phishing email, a spokesperson told SecurityWeek that the “from address” was faked but made to look like the email was from a trusted person known to the victim. Also, as would be expected in a typical phishing attack, the content of the email “seemed like something the trusted person might send, and the link in the email was an image that looked like a legitimate website.”

What should have alerted victims was that fact that the website asking the user to enter their credentials was a different web address to the one appearing in the phishing email.

The company said that after they were notified, the affected DNS records were changed back to their previous values and the affected records were locked from any further changes at the .com domain name registry. The company also temporarily suspended access to affected user accounts until passwords were changed.

“We are currently reviewing our logs to see if we can obtain information on the identity of the party that has used the account credentials. We are also reviewing additional layers of security that we can add to our accounts,” Melbourne IT said.

According to the domain name records on Tuesday afternoon, the Syrian Electronic Army was listed as a contact for several compromised domains, all of which used Melbourne IT as their domain registrar.

According to OpenDNS, several other high profile domains were hijacked at the DNS level and were redirecting traffic to a server hosting malware and phishing sites hosted at the IP address 141.105.64.37.  Other high profile domains affected include ShareThis and The Huffington Post.

AlienVault’s Jaime Blasco has provided a list of domains (at one time) pointing to the server assumed to be operated by the Syrian Electronic Army.

Melbourne IT suggested that domain name owners take advantage of additional registry lock features available from domain name registries.

“Registrars generally do not make it easy to request registry locks because they make processes like automatic renewals more difficult,” CloudFlare’s prince explained. “However, if you have a domain that may be at risk, you should insist that your registrar put a registry lock in place. It's worth noting that while some of Twitter's utility domains were redirected, Twitter.com was not -- and Twitter.com has a registry lock in place.”

While implementing registry locks is a wise decision, it’s important to remember that registrar systems are only as secure as the devices accessing them. For example, as programmer Florian Bösch pointed out, if any staff member with administrative access is infected by a keylogger on any machines used to access administrative functions, it's “game over for the entire system.”

"While a company like NYT may be able to secure their own platforms, harden their systems and regularly check for vulnerable components on premise – it is a much harder practice when some of that infrastructure is provided by a third party like an ISP or a DNS Hoster, said Imperva web research team leader Tal Be’ery. "At some point, CIO’s need to realize that critical pieces of their online entities are controlled by vendors, and that security policies should apply to them as well. Companies should create contingency plans, and check the security measurements taken by their 3rd party content and infrastructure providers. A DNS is unfortunately, a great example."

The Syrian Electronic Army has been responsible for other recent attacks, including ones that targeted the AFP’s Twitter account and three CBS News accounts, in order to spread propaganda supporting Syria’s President Assad. In May, the group hacked into the Associated Press's Twitter account and falsely reported that President Barack Obama had been injured after two blasts at the White House. The Washington Post website was also hacked earlier this month in an attack blamed on the SEA. 

Related Reading:

Five DNS Threats You Should Protect Against

Are Your Domains Safe? Five Ways to Safeguard Your Domain Name and Website 

Network Solutions' June "Snafu" - Why Heads Should Roll

 The Three Providers Who Decide Whether You Will Be Hacked

*Updated with additional commentary

view counter
For more than 10 years, Mike Lennon has been closely monitoring the threat landscape and analyzing trends in the National Security and enterprise cybersecurity space. In his role at SecurityWeek, he oversees the editorial direction of the publication and is the Director of several leading security industry conferences around the world.