How the Syrian Electronic Army Hit Both Twitter and the New York Times

Future Tense
The Citizen's Guide to the Future
Aug. 27 2013 10:15 PM

How the Syrian Electronic Army Hit Both Twitter and the New York Times

SEA NY Times hack

Screenshot / NYTimes.com

UPDATE, Tuesday, Aug. 27, 10:09 p.m.: Once again, it turns out that the Syrian Electronic Army infiltrated its major U.S. media targets indirectly, by compromising a related third party.

Will Oremus Will Oremus

Will Oremus is Slate's senior technology writer.

The hack that took down the New York Times homepage on Tuesday afternoon and knocked out embedded images on Twitter was the result of a phishing attack on an Australian Web-hosting firm, Melbourne IT, the firm confirmed Tuesday evening. From the Australian Financial Review:

A spokesman for the Melbourne-based company said the login credentials of a reseller for the company had been compromised, allowing attackers to access servers and change key details that direct users to the correct websites.
Advertisement

The New York Times’ own story on the hack also identifies the direct target as Melbourne IT, which both the Times and Twitter apparently use as their domain-name registrar. The Times’ chief information officer, Marc Frons, affirmed—slightly cryptically—that the culprit was “the Syrian Electronic Army or someone trying very hard to be them.” Twitter did not mention Melbourne IT or the SEA by name, but issued a statement acknowledging that DNS records had been modified for twimg.com, one of the domains Twitter uses to display images.

The note of uncertainty in Frons’ statement about the SEA stems from the murkiness surrounding the hacker group, about which not a lot is known except that it appears to vociferously support the regime of Bashar al-Assad. Whether it does any good on behalf of that regime is unclear. The Washington Post’s Max Fisher suggests that the group’s actions make “a lot more sense if you think of them as pranksters who also happen to love Assad than as state-aligned hackers in pursuit of concrete goals.” On the other hand, the Times notes that Syrian rebels and some security experts take the group far more seriously, viewing it as “the outward-facing campaign of a much quieter surveillance campaign focused on Syrian dissidents.”

Either way, it’s clear that the group’s attacks on U.S. media organizations are growing more sophisticated, if still not particularly damaging. Major domain-name registrars like Melbourne IT are supposed to maintain tight security. But the SEA has demonstrated once again the power of carefully crafted phishing attacks—schemes that involve tricking an organization’s individual employees into downloading malware or giving out sensitive information. That’s the same approach the hacker group has used in the past to gain control of the Twitter accounts of major media organizations, including the Associated Press. (I wrote in more detail about the AP phishing attack here.)

Melbourne IT ranks as the world’s sixth-largest ICANN domain registrar, responsible for some 2.5 million domains, according to webhosting.info. By far the largest is U.S.-based Go Daddy, with over 25 million.

Original post, Tuesday, Aug. 27, 5:59 p.m.: Two weeks ago, I wrote that the hackers in the Syrian Electronic Army were getting the upper hand on U.S. media outlets. Today, if initial reports are correct, they appear to have stepped up their game another notch.

The homepage of the New York Times went down Tuesday afternoon, and a spokeswoman for the paper reported that the outage was "most likely" the result of a "malicious external attack." Whether it was in fact the work of the Syrian Electronic Army was not immediately clear, but at least one security researcher reported that the Times’ domain name server appeared to be pointing to a Syrian Electronic Army domain. Meanwhile, the Times continued to publish stories using a workaround, directing readers to its naked IP address—http://170.149.168.130/ —rather than to www.nytimes.com.

Meanwhile, the SEA is claiming that it has hacked Twitter itself:

You might notice that the images in the tweet above are broken. Whether that’s part of the SEA’s Twitter hack is also not clear, but it seems plausible—Twitter was rife with broken images Tuesday afternoon. The link in the tweet points to a “WhoIs” site, which keeps records the owners of various Web addresses. As of 5:45 p.m. on Wednesday, the site was showing the administrator name for Twitter.com as “SEA SEA,” with an email address of sea@sea.sy.

Circa’s Anthony De Rosa found what could be a link between the two hacks:

And at around 5:45 p.m., the SEA issued a new tweet suggesting that the Huffington Post’s U.K. site might be compromised as well:

The story is still developing. The bottom line, for now: The SEA is continuing to make good on its threat to retaliate for Twitter’s takedown of its account, but it still has not accomplished anything particularly substantive in the way of damaging critical U.S. websites or getting its message out to the public. Yet.

Future Tense is a partnership of SlateNew America, and Arizona State University.

TODAY IN SLATE

The World

How Canada’s Shooting Tragedies Have Shaped Its Gun Control Politics

Where Ebola Lives Between Outbreaks

Gunman Killed Inside Canadian Parliament; Soldier Shot at National Monument Dies

Sleater-Kinney Was Once America’s Best Rock Band

Can it be again?

Paul Farmer: Up to 90 Percent of Ebola Patients Should Survive

Is he right?

Science

“I’m Not a Scientist” Is No Excuse

Politicians brag about their ignorance while making ignorant decisions.

Technology

Driving in Circles

The autonomous Google car may never actually happen.

In Praise of 13th Grade: Why a Fifth Year of High School Is a Great Idea 

PowerPoint Is the Worst, and Now It’s the Latest Way to Hack Into Your Computer

  News & Politics
Politics
Oct. 22 2014 9:42 PM Landslide Landrieu Can the Louisiana Democrat use the powers of incumbency to save herself one more time?
  Business
Continuously Operating
Oct. 22 2014 2:38 PM Crack Open an Old One A highly unscientific evaluation of Germany’s oldest breweries.
  Life
Gentleman Scholar
Oct. 22 2014 5:54 PM May I Offer to Sharpen My Friends’ Knives? Or would that be rude?
  Double X
The XX Factor
Oct. 22 2014 4:27 PM Three Ways Your Text Messages Change After You Get Married
  Slate Plus
Tv Club
Oct. 22 2014 5:27 PM The Slate Walking Dead Podcast A spoiler-filled discussion of Episodes 1 and 2.
  Arts
Brow Beat
Oct. 22 2014 10:39 PM Avengers: Age of Ultron Looks Like a Fun, Sprawling, and Extremely Satisfying Sequel
  Technology
Future Tense
Oct. 22 2014 5:33 PM One More Reason Not to Use PowerPoint: It’s The Gateway for a Serious Windows Vulnerability
  Health & Science
Wild Things
Oct. 22 2014 2:42 PM Orcas, Via Drone, for the First Time Ever
  Sports
Sports Nut
Oct. 20 2014 5:09 PM Keepaway, on Three. Ready—Break! On his record-breaking touchdown pass, Peyton Manning couldn’t even leave the celebration to chance.