Hacking group the Syrian Electronic Army has added another major media company to its list of scalps after it took the New York Times’ website offline, and affected Twitter’s image service.
Today’s efforts are just the latest in a series of attacks on Western media from the SEA — an independent group that is supportive of Syrian President Bashar al-Assad — but how did it take down one of the world’s largest newspapers and affect one of the Internet’s most influential social networks?
— SyrianElectronicArmy (@Official_SEA16) August 27, 2013
Taking the New York Times offline
Europe, are you ready?
TNW Conference is back for its 12th year. Reserve your 2-for-1 ticket voucher now.
The answer is Australia — or, more specifically, Melbourne IT: an Australia-based company that handles hosting for Twitter and the NYT, among others.
Statements to TNW from Melbourne IT explain that the SEA was able to enter its IT system by using a reseller’s username and password.
It’s not clear which reseller was breached, or how the SEA landed the details, [Update] Melbourne IT has confirmed that the SEA used phishing tactics to get hold of the log-in details, and its efforts show that the organization went to great lengths to plan this operation. It was not a quick hack for lulz.
Once inside Melbourne IT’s system, the group had access to a range of data and information. It presumably knew exactly what it was looking for and proceeded to change the DNS records of “several domain names,” Melbourne IT says, one of which was nytimes.com.
DNS, for those who don’t know, is akin to a ‘phone book for the Internet’ and is responsible for taking you to the website that you want to visit. It links up alphabetic URLs (such as nytimes.com or thenextweb.com) with their numerical location (like http://220.127.116.11) because trying to memorize dedicated number-based website addresses would be impossible.
So, by switching the DNS record, the SEA was able to reroute traffic to nytimes.com to its own address, taking the prestigious media company offline.
Melbourne IT tells us that it shored up its security the moment that it was aware of the breach — changing DNS records back and locking them, while changing the reseller credentials affected to cut the SEA’s access — but the damage had already been done.
This kind of DNS attack is particularly difficult to fix since it takes some time for things to return to normal. It’s known as ‘time to live’ because the effect of changing a DNS records is not instantly reversed due to servers caching lookups for a specified time (hat-tip to commenter ‘Steerio’ for pointing this out). Indeed, it could take up to one day before the situation returns to normal.
(The NYT is publishing content at news.nytco.com/global in the meantime.)
Twitter images affected
The situation is slightly different for Twitter, however, since it wasn’t taken offline.
In a post on its status blog, Twitter revealed that “viewing of images and photos [on the service] was sporadically impacted” after one of its DNS records was altered.
Though the record has now been reset — like that of the nytimes.com — it will take some time before things return to normal due to the nature of a DNS change. That explains why you may be seeing many Twitter users’ avatars missing on Twitter.com, TweetDeck and other services.
Twitter uses a number of companies for its DNS records. It appears that since most of the data is stored with US-based Dyn, which was not compromised, the service did not go offline.
A Dyn spokesperson confirmed to TNW that the company has its security on high alert:
“We are doing everything we can to support those affected by this attack, and are making doubly certain our own staff are on high alert. This is a tight group of global recursive, authoritative, and domain registrar operators, and we stand together to help one another.”
Inevitable weakness of the global chain
This episode follows the SEA’s other recent hackings — Sky, Financial Times, BBC Twitter accounts, the National Public Radio service, the Guardian newspaper, and the Associated Press — and highlights the vulnerability of the chain of command behind Internet sites. Even if your own security is watertight, you are relying on others to do likewise.
A simple phishing email to a domain reseller in Australia was the breakthrough that ultimately brought down the New York Times and affect Twitter.
Further reading: Details Behind Today’s Internet Hacks [CloudFlare]
Headline image via Ramin Talaie / AFP / Getty Images