How the Syrian Electronic Army Hit Both Twitter and the New York Times

The Citizen's Guide to the Future
Aug. 27 2013 10:15 PM

How the Syrian Electronic Army Hit Both Twitter and the New York Times

SEA NY Times hack

Screenshot / NYTimes.com

UPDATE, Tuesday, Aug. 27, 10:09 p.m.: Once again, it turns out that the Syrian Electronic Army infiltrated its major U.S. media targets indirectly, by compromising a related third party.

Will Oremus Will Oremus

Will Oremus is Slate's senior technology writer.

The hack that took down the New York Times homepage on Tuesday afternoon and knocked out embedded images on Twitter was the result of a phishing attack on an Australian Web-hosting firm, Melbourne IT, the firm confirmed Tuesday evening. From the Australian Financial Review:

A spokesman for the Melbourne-based company said the login credentials of a reseller for the company had been compromised, allowing attackers to access servers and change key details that direct users to the correct websites.
Advertisement

The New York Times’ own story on the hack also identifies the direct target as Melbourne IT, which both the Times and Twitter apparently use as their domain-name registrar. The Times’ chief information officer, Marc Frons, affirmed—slightly cryptically—that the culprit was “the Syrian Electronic Army or someone trying very hard to be them.” Twitter did not mention Melbourne IT or the SEA by name, but issued a statement acknowledging that DNS records had been modified for twimg.com, one of the domains Twitter uses to display images.

The note of uncertainty in Frons’ statement about the SEA stems from the murkiness surrounding the hacker group, about which not a lot is known except that it appears to vociferously support the regime of Bashar al-Assad. Whether it does any good on behalf of that regime is unclear. The Washington Post’s Max Fisher suggests that the group’s actions make “a lot more sense if you think of them as pranksters who also happen to love Assad than as state-aligned hackers in pursuit of concrete goals.” On the other hand, the Times notes that Syrian rebels and some security experts take the group far more seriously, viewing it as “the outward-facing campaign of a much quieter surveillance campaign focused on Syrian dissidents.”

Either way, it’s clear that the group’s attacks on U.S. media organizations are growing more sophisticated, if still not particularly damaging. Major domain-name registrars like Melbourne IT are supposed to maintain tight security. But the SEA has demonstrated once again the power of carefully crafted phishing attacks—schemes that involve tricking an organization’s individual employees into downloading malware or giving out sensitive information. That’s the same approach the hacker group has used in the past to gain control of the Twitter accounts of major media organizations, including the Associated Press. (I wrote in more detail about the AP phishing attack here.)

Melbourne IT ranks as the world’s sixth-largest ICANN domain registrar, responsible for some 2.5 million domains, according to webhosting.info. By far the largest is U.S.-based Go Daddy, with over 25 million.

Original post, Tuesday, Aug. 27, 5:59 p.m.: Two weeks ago, I wrote that the hackers in the Syrian Electronic Army were getting the upper hand on U.S. media outlets. Today, if initial reports are correct, they appear to have stepped up their game another notch.

The homepage of the New York Times went down Tuesday afternoon, and a spokeswoman for the paper reported that the outage was "most likely" the result of a "malicious external attack." Whether it was in fact the work of the Syrian Electronic Army was not immediately clear, but at least one security researcher reported that the Times’ domain name server appeared to be pointing to a Syrian Electronic Army domain. Meanwhile, the Times continued to publish stories using a workaround, directing readers to its naked IP address—http://170.149.168.130/ —rather than to www.nytimes.com.

Meanwhile, the SEA is claiming that it has hacked Twitter itself:

You might notice that the images in the tweet above are broken. Whether that’s part of the SEA’s Twitter hack is also not clear, but it seems plausible—Twitter was rife with broken images Tuesday afternoon. The link in the tweet points to a “WhoIs” site, which keeps records the owners of various Web addresses. As of 5:45 p.m. on Wednesday, the site was showing the administrator name for Twitter.com as “SEA SEA,” with an email address of sea@sea.sy.

Circa’s Anthony De Rosa found what could be a link between the two hacks:

And at around 5:45 p.m., the SEA issued a new tweet suggesting that the Huffington Post’s U.K. site might be compromised as well:

The story is still developing. The bottom line, for now: The SEA is continuing to make good on its threat to retaliate for Twitter’s takedown of its account, but it still has not accomplished anything particularly substantive in the way of damaging critical U.S. websites or getting its message out to the public. Yet.

Future Tense is a partnership of SlateNew America, and Arizona State University.

TODAY IN SLATE

History

The Self-Made Man

The story of America’s most pliable, pernicious, irrepressible myth.

The GOP Senate Candidate in Iowa Doesn’t Want Voters to Know Just How Conservative She Really Is

Does Your Child Have “Sluggish Cognitive Tempo”? Or Is That Just a Disorder Made Up to Scare You?

Naomi Klein Is Wrong

Multinational corporations are doing more than governments to halt climate change.

The Strange History of Wives Gazing at Their Husbands in Political Ads

Television

See Me

Transparent is the fall’s only great new show.

Doublex

Lena Dunham, the Book

More shtick than honesty in Not That Kind of Girl.

Rehtaeh Parsons Was the Most Famous Victim in Canada. Now, Journalists Can’t Even Say Her Name.

Parents, Get Your Teenage Daughters the IUD

The XX Factor
Sept. 30 2014 12:34 PM Parents, Get Your Teenage Daughters the IUD
Moneybox
Sept. 30 2014 12:04 PM John Hodgman on Why He Wore a Blue Dress to Impersonate Ayn Rand
  News & Politics
Politics
Sept. 30 2014 1:38 PM Mad About Modi
 Why the controversial Indian prime minister drew 19,000 cheering fans to Madison Square Garden.

  Business
Building a Better Workplace
Sept. 30 2014 1:16 PM You Deserve a Pre-cation The smartest job perk you’ve never heard of.
  Life
Education
Sept. 30 2014 1:48 PM Thrashed Florida State’s new president is underqualified and mistrusted. But here’s how he can turn it around.
  Double X
The XX Factor
Sept. 30 2014 12:34 PM Parents, Get Your Teenage Daughters the IUD
  Slate Plus
Slate Picks
Sept. 30 2014 11:42 AM Listen to Our September Music Roundup Hot tracks from a cooler month, exclusively for Slate Plus members.
  Arts
Brow Beat
Sept. 30 2014 12:42 PM How to Save Broken Mayonnaise
  Technology
Future Tense
Sept. 30 2014 11:55 AM The Justice Department Is Cracking Down on Sales of Spyware Used in Stalking
  Health & Science
Bad Astronomy
Sept. 30 2014 7:30 AM What Lurks Beneath the Methane Lakes of Titan?
  Sports
Sports Nut
Sept. 28 2014 8:30 PM NFL Players Die Young. Or Maybe They Live Long Lives. Why it’s so hard to pin down the effects of football on players’ lives.