At approximately 3pm PST, the Syrian Electronic Army seemingly hacked into Twitter, Huffington Post and NY Times’ registry accounts altering contact details, and more significantly, DNS records. Modifying DNS records of a domain will allow SEA to redirect visitors to any site of their choosing.
First reported by Matthew Keys, this is the latest of many attacks by the pro-Syrian government computer hackers who align themselves with Syrian president Bashar al-Assad.
The flurry of DNS hacks began when the group initially posted a tweet with a screenshot of the whois records for Twitter.com and a link for others to verify its authenticity:
The SEA followed up with a screenshot of a list of Twitter accounts the group presumably had access to:
Contact details for the Twitter.com domain were changed, but it’s reasonable to assume that if the SEA had the ability to change contact information, they may very well have had the ability to change DNS records and point the Twitter.com domain elsewhere, redirecting visitors and users.
The SEA also altered the DNS records for twimg.com which Twitter uses for virtually all CSS, JS, images, cookies and more. This means for many users, Twitter.com wouldn’t load correctly and avatars were unavailable across many Twitter clients.
For the NY Times, the situation was (and remains) equally serious with subdomains being created and even reports of the homepage being redirected. The NY Times has since issued a statement claiming the issues were related to an attack on the company’s domain name registrar Melbourne IT.
“The New York Times Web site was unavailable to readers on Tuesday afternoon following an attack on the company’s domain name registrar, Melbourne IT. The attack also required employees of The Times to stop sending out sensitive e-mails.”
HuffingtonPost UK also had its DNS records altered but as 4pm PST both HuffingtonPost UK’s whois and DNS records as well as those of Twitter’s appears to have been corrected. Twimg and NY Times’ still include records pointing to the SEA.
Twitter has issued a statement on the matter, only addressing the twimg.com downtime.
“At 20:49 UTC, our DNS provider experienced an issue in which it appears DNS records for various organizations were modified, including one of Twitter’s domains used for image serving, twimg.com. Viewing of images and photos was sporadically impacted. By 22:29 UTC, the original domain record for twimg.com was restored. No Twitter user information was affected by this incident.”
If you’ve not heard of the Syrian Electronics Army, then you might find it interesting to know that this is the group that is responsible for cyber attacks against the BBC, the Associated Press, the Guardian, and, obviously, Twitter. It says that its aim is to go after those that oppose Syria’s President Bashar al-Assad, although in some attacks, the motives are questionable. The Verge recently analyzed the group and says that the SEA frequently departs from its original message and shifts towards a more comedic front, akin to something you might see from Lulzsec.
In its report, The Verge quoted Eva Galperin, global public policy analyst at the Electronic Frontier Foundation:
While it may seem a little bit like they’re doing it for the lulz because it is kind of random, it is ideologically motivated in the sense that these are all supporters of the Assad regime. And they’re looking to get a message out about what they feel is bias in the media against Assad.
Why exactly did the SEA attack Twitter, the New York Times, and the Huffington Post via MelbourneIT? It’s not entirely sure, but one could speculate that it’s because of what some may believe to be an impending strike by the United States against Syria. The proposed missile strike is said to last for three days and is in response to Syria’s supposed use of chemical weapons on its civilians.
Photo credit: Oli Scarff/Getty Images