The heart of tech is coming to the heart of the Mediterranean. Join TNW in València this March 🇪🇸

This article was published on August 28, 2013

This is how the Syrian Electronic Army ‘hacked’ the New York Times and Twitter

This is how the Syrian Electronic Army ‘hacked’ the New York Times and Twitter
Jon Russell
Story by

Jon Russell

Jon Russell was Asia Editor for The Next Web from 2011 to 2014. Originally from the UK, he lives in Bangkok, Thailand. You can find him on T Jon Russell was Asia Editor for The Next Web from 2011 to 2014. Originally from the UK, he lives in Bangkok, Thailand. You can find him on Twitter, Angel List, LinkedIn.

Hacking group the Syrian Electronic Army has added another major media company to its list of scalps after it took the New York Times’ website offline, and affected Twitter’s image service.

Today’s efforts are just the latest in a series of attacks on Western media from the SEA — an independent group that is supportive of Syrian President Bashar al-Assad — but how did it take down one of the world’s largest newspapers and affect one of the Internet’s most influential social networks?

Taking the New York Times offline

The answer is Australia — or, more specifically, Melbourne IT: an Australia-based company that handles hosting for Twitter and the NYT, among others.

Statements to TNW from Melbourne IT explain that the SEA was able to enter its IT system by using a reseller’s username and password. It’s not clear which reseller was breached, or how the SEA landed the details, [Update] Melbourne IT has confirmed that the SEA used phishing tactics to get hold of the log-in details, and its efforts show that the organization went to great lengths to plan this operation. It was not a quick hack for lulz.

Once inside Melbourne IT’s system, the group had access to a range of data and information. It presumably knew exactly what it was looking for and proceeded to change the DNS records of “several domain names,” Melbourne IT says, one of which was

DNS, for those who don’t know, is akin to a ‘phone book for the Internet’ and is responsible for taking you to the website that you want to visit. It links up alphabetic URLs (such as or with their numerical location (like because trying to memorize dedicated number-based website addresses would be impossible.

So, by switching the DNS record, the SEA was able to reroute traffic to to its own address, taking the prestigious media company offline.


Melbourne IT tells us that it shored up its security the moment that it was aware of the breach — changing DNS records back and locking them, while changing the reseller credentials affected to cut the SEA’s access — but the damage had already been done.

This kind of DNS attack is particularly difficult to fix since it takes some time for things to return to normal. It’s known as ‘time to live’ because the effect of changing a DNS records is not instantly reversed due to servers caching lookups for a specified time (hat-tip to commenter ‘Steerio’ for pointing this out). Indeed, it could take up to one day before the situation returns to normal.

(The NYT is publishing content at in the meantime.)

Twitter images affected

The situation is slightly different for Twitter, however, since it wasn’t taken offline.

In a post on its status blog, Twitter revealed that “viewing of images and photos [on the service] was sporadically impacted” after one of its DNS records was altered.

Though the record has now been reset — like that of the — it will take some time before things return to normal due to the nature of a DNS change. That explains why you may be seeing many Twitter users’ avatars missing on, TweetDeck and other services.


Twitter uses a number of companies for its DNS records. It appears that since most of the data is stored with US-based Dyn, which was not compromised, the service did not go offline.

A Dyn spokesperson confirmed to TNW that the company has its security on high alert:

“We are doing everything we can to support those affected by this attack, and are making doubly certain our own staff are on high alert. This is a tight group of global recursive, authoritative, and domain registrar operators, and we stand together to help one another.”

Inevitable weakness of the global chain

This episode follows the SEA’s other recent hackings — Sky, Financial TimesBBC Twitter accounts, the National Public Radio servicethe Guardian newspaper, and the Associated Press — and highlights the vulnerability of the chain of command behind Internet sites. Even if your own security is watertight, you are relying on others to do likewise.

A simple phishing email to a domain reseller in Australia was the breakthrough that ultimately brought down the New York Times and affect Twitter.

Further reading: Details Behind Today’s Internet Hacks [CloudFlare]

Headline image via Ramin Talaie / AFP / Getty Images