How the Syrian Electronic Army Hit Both Twitter and the New York Times

Future Tense
The Citizen's Guide to the Future
Aug. 27 2013 10:15 PM

How the Syrian Electronic Army Hit Both Twitter and the New York Times

SEA NY Times hack

Screenshot / NYTimes.com

UPDATE, Tuesday, Aug. 27, 10:09 p.m.: Once again, it turns out that the Syrian Electronic Army infiltrated its major U.S. media targets indirectly, by compromising a related third party.

Will Oremus Will Oremus

Will Oremus is Slate's senior technology writer.

The hack that took down the New York Times homepage on Tuesday afternoon and knocked out embedded images on Twitter was the result of a phishing attack on an Australian Web-hosting firm, Melbourne IT, the firm confirmed Tuesday evening. From the Australian Financial Review:

A spokesman for the Melbourne-based company said the login credentials of a reseller for the company had been compromised, allowing attackers to access servers and change key details that direct users to the correct websites.
Advertisement

The New York Times’ own story on the hack also identifies the direct target as Melbourne IT, which both the Times and Twitter apparently use as their domain-name registrar. The Times’ chief information officer, Marc Frons, affirmed—slightly cryptically—that the culprit was “the Syrian Electronic Army or someone trying very hard to be them.” Twitter did not mention Melbourne IT or the SEA by name, but issued a statement acknowledging that DNS records had been modified for twimg.com, one of the domains Twitter uses to display images.

The note of uncertainty in Frons’ statement about the SEA stems from the murkiness surrounding the hacker group, about which not a lot is known except that it appears to vociferously support the regime of Bashar al-Assad. Whether it does any good on behalf of that regime is unclear. The Washington Post’s Max Fisher suggests that the group’s actions make “a lot more sense if you think of them as pranksters who also happen to love Assad than as state-aligned hackers in pursuit of concrete goals.” On the other hand, the Times notes that Syrian rebels and some security experts take the group far more seriously, viewing it as “the outward-facing campaign of a much quieter surveillance campaign focused on Syrian dissidents.”

Either way, it’s clear that the group’s attacks on U.S. media organizations are growing more sophisticated, if still not particularly damaging. Major domain-name registrars like Melbourne IT are supposed to maintain tight security. But the SEA has demonstrated once again the power of carefully crafted phishing attacks—schemes that involve tricking an organization’s individual employees into downloading malware or giving out sensitive information. That’s the same approach the hacker group has used in the past to gain control of the Twitter accounts of major media organizations, including the Associated Press. (I wrote in more detail about the AP phishing attack here.)

Melbourne IT ranks as the world’s sixth-largest ICANN domain registrar, responsible for some 2.5 million domains, according to webhosting.info. By far the largest is U.S.-based Go Daddy, with over 25 million.

Original post, Tuesday, Aug. 27, 5:59 p.m.: Two weeks ago, I wrote that the hackers in the Syrian Electronic Army were getting the upper hand on U.S. media outlets. Today, if initial reports are correct, they appear to have stepped up their game another notch.

The homepage of the New York Times went down Tuesday afternoon, and a spokeswoman for the paper reported that the outage was "most likely" the result of a "malicious external attack." Whether it was in fact the work of the Syrian Electronic Army was not immediately clear, but at least one security researcher reported that the Times’ domain name server appeared to be pointing to a Syrian Electronic Army domain. Meanwhile, the Times continued to publish stories using a workaround, directing readers to its naked IP address—http://170.149.168.130/ —rather than to www.nytimes.com.

Meanwhile, the SEA is claiming that it has hacked Twitter itself:

You might notice that the images in the tweet above are broken. Whether that’s part of the SEA’s Twitter hack is also not clear, but it seems plausible—Twitter was rife with broken images Tuesday afternoon. The link in the tweet points to a “WhoIs” site, which keeps records the owners of various Web addresses. As of 5:45 p.m. on Wednesday, the site was showing the administrator name for Twitter.com as “SEA SEA,” with an email address of sea@sea.sy.

Circa’s Anthony De Rosa found what could be a link between the two hacks:

And at around 5:45 p.m., the SEA issued a new tweet suggesting that the Huffington Post’s U.K. site might be compromised as well:

The story is still developing. The bottom line, for now: The SEA is continuing to make good on its threat to retaliate for Twitter’s takedown of its account, but it still has not accomplished anything particularly substantive in the way of damaging critical U.S. websites or getting its message out to the public. Yet.

Future Tense is a partnership of SlateNew America, and Arizona State University.

  Slate Plus
Working
Nov. 27 2014 12:31 PM Slate’s Working Podcast: Episode 11 Transcript Read what David Plotz asked a helicopter paramedic about his workday.