NY Times Caught In Syrian Hacker Attack

Hacks amount to warning shots, threatening more widespread cyberattacks should the U.S. and allies launch military campaign against Syria, warns security expert.

(click image for larger view)
The Syrian Electronic Army: 9 Things We Know
The Syrian Electronic Army (SEA) Tuesday hacked nine websites, including
The New York Times
, Twitter and Twitters image service Twimg. Some visitors to the affected sites were redirected to hacker-controlled servers that attempted to launch drive-by malware attacks.
Throughout Tuesday and into Wednesday, many of the hacked sites remained unavailable or intermittently accessible, as a battle unfolded between hackers and site owners, with each attempting to wrest control from the other by adjusting the domain name system (DNS) settings for the hacked sites. Website disruptions varied geographically, complicated by DNS registries in different parts of the world receiving updates at different intervals.
The affected domain names were all registered through Australia-based Melbourne IT, which confirmed Wednesday that its systems had been compromised by hackers. The company said Wednesday that it had restored the hacked DNS credentials, locked those records to prevent further changes, disabled the legitimate account credentials that hackers had used to access its systems, and continued to investigate the intrusion.
The hack attacks come as the United States and its allies -- including the Arab League, Australia, Britain, France, Italy, Saudi Arabia and Turkey --
debate launching a military intervention in Syria
in response to a large-scale chemical attack last Wednesday in the suburbs of Damascus. The attack, which killed hundreds of people, has been attributed to the regime of Syrian President Bashar al-Assad, although the government has denied that allegation.
[ What caused last weeks stock exchange outage? Read
Nasdaq Outage Explored: 7 Facts
. ]
Sean Sullivan, security advisor at F-Secure Labs, said the SEAs Tuesday hacks amounted to
online warning shots
directed at the United States. Bottom line: if the United States launches a cruise missile at Syria ... there will definitely be a cyber response, he
tweeted
Wednesday.
The SEA has previously
hacked media outlets
websites and Twitter feeds for advancing what it sees as a negative view of the Syrian regime. Victims have included the
Associated Press
, CBS News, NPR, the BBC and satire site
The Onion
.
As of Wednesday morning, the
SEAs own website
remained unavailable, suggesting that it was the focus of a distributed denial of service attack.
The first signs of the SEAs Tuesday DNS hack campaign appeared when the
Times
website became unreachable. Shortly thereafter,
Times
spokeswoman Eileen Murphy said in a tweet
that the website disruption is most likely result of malicious external attack. The
Times
later
released more details
, although as of Wednesday morning its site -- and that article -- remained largely unreachable.
The
Times
websites DNS settings as well as some registration details were compromised by hackers Tuesday, with the admin name altered to read SEA, address changed to Syrian Arab Republic and email changed to [email protected]. Connecting directly to one of the Apache servers used by the
Times
returned a message that read Hacked by SEA before the connection was closed, the
SANS Institute reported
Tuesday.
The SEA Tuesday also claimed credit for the attacks
via Twitter
. Hi @Twitter, look at your domain, its owned by #SEA :) read one tweet, which linked to
Whois details for the Twitter domain
listing SEA SEA as the admin name. After compromising the DNS settings of the various websites, the SEA rerouted some website visitors to hacker-controlled servers, and may have also intercepted email and traffic heading to and from the affected domains. All three domains use Melbourne IT as their domain registrar. Once access to the registrar is obtained, the SEA can redirect all DNS, email and Web traffic going to these sites to a server of their choosing, HD Moore, chief research officer at Rapid7,
told Threatpost
.
AlienVaults Jaime Blasco
posted a full list of sites that appeared to be redirecting to an SEA server, including not just the
Times
site but also Twitter and
Huffington Post
sites with a top-level U.K. domain name.
Throughout Tuesday, administrators for the
Times
played ping-pong with the SEA, as each side continued to update the DNS settings. CloudFlare CEO Matthew Prince said his company was helping the
Times
clean up the mess, and Tuesday turned to two of the largest recursive DNS providers: OpenDNS and Google to help prevent users from being redirected by malicious sites. Technical teams from CloudFlare, OpenDNS and Google jumped on a conference call and discovered what appeared to be malware on the site to which the NYTimes.com site was redirected, Prince said in a
blog post
Tuesday. OpenDNS and Googles DNS team worked to correct the hacked records for the customers of their recursive DNS services.
Numerous other sites -- including Google.com, Microsoft.com and Yahoo.com -- are also registered through Melbourne IT, raising the prospect that the SEA might still be able to trigger more widespread outages. These other domains show no indication of being compromised, but if the attackers have found a weakness in the Melbourne IT system, these other domains may also be at risk, Moore
told
Mashable
.
Melbourne IT said it traced the attack to a valid account at a U.S. reseller. What we do know is that a valid username and password were used to access our systems, Melbourne ITs chief executive, Theo Hnarakis,
told Australias
Financial Review
Wednesday. As far as the cause and how these perpetrators secured the name, we are not sure. We are still working with the reseller in the U.S. to work out exactly whats happening and whether its a vulnerability on our side, on their side or with the customer.
According to a statement released by Melbourne IT, not all of the SEAs DNS hacking attempts were successful, thanks to some customers having used optional security controls. For mission critical names we recommend that domain name owners take advantage of additional registry lock features available from domain name registries including .com -- some of the domain names targeted on the reseller account had these lock features active and were thus not affected, it said.
Any sites that may be targeted by the SEA would do well to heed that DNS security advice, especially since the group may soon ramp up its online attacks.
According to the United Nations, the two-year-old Syrian civil war has claimed more than 100,000 lives. Many Middle Eastern commentators see the conflict as a proxy war, with the winner set to gain an edge in regional power. Bloomberg reported in June that the U.S. and its allies declined to enter the Syrian conflict, believing that
Assads days were numbered
. Instead, with the backing of Iran, his regime has posted notable gains.
But the prospect of imminent military intervention in Syria appears now all but certain after the the Arab League Tuesday
condemned the Syrian government
for last weeks chemical attack, as well as two years of its crimes of genocide. The 22-member organization urged the UN Security Council to act, and said that it demands that all the perpetrators of this heinous crime be presented for international trials.

Last News
▸ ArcSight prepares for future at user conference post HP acquisition. ◂ Discovered: 07/01/2025 Category: security	▸ Samsung Epic 4G: First To Use Media Hub ◂ Discovered: 07/01/2025 Category: security	▸ Many third-party software fails security tests ◂ Discovered: 07/01/2025 Category: security

**Cyber Security Categories**
Google Dorks Database	Exploits Vulnerability	Exploit Shellcodes

CVE List

Tools/Apps

News/Aarticles

Phishing Database

Deepfake Detection

Trends/Statistics & Live Infos

Tags:
NY Times Caught In Syrian Hacker Attack