“Is it just me, or is http://nytimes.com down?”, tweeted security researcher Matt Blaze yesterday. It wasn’t just him, but it was patchy, depending on location. That’s because it wasn’t NYT’s website that had been hacked, but the domain registrar that holds the NYT domain name. Because of the way in which registrars cache their records to reduce the load all the way back up to the Verisign TLD registrar, it is possible for different areas to be using different DNS records for a short period.
What seems to have happened is that the SEA had compromised the MelbourneIT registrar, gaining control of the administrative control panel. This meant that it could effectively hijack entire websites by simply editing the records to point to their own domain instead of the correct websites. It also meant, of course, that the New York Times was potentially not the only affected website – and AlienVault has compiled a list of domains that it found pointing to a SEA server. Apart from the NYT, the list also includes twitter.co.uk, huffingtonpost.co.uk, sharethis.com and twimg.com.
With reference to the last, Twitter issued a service status report late yesterday: “At 20:49 UTC, our DNS provider experienced an issue in which it appears DNS records for various organizations were modified, including one of Twitter’s domains used for image serving, twimg.com. Viewing of images and photos was sporadically impacted. By 22:29 UTC, the original domain record for twimg.com was restored. No Twitter user information was affected by this incident.”
It seems that the attack was typical SEA hacktivism – the primary purpose is to publicize its political support for the Bashar Al-Assad regime in Syria. “There is no profit involved – however making all of us aware of the Syrian rebellion is their goal,” explains Barry Shteiman, senior security strategist at Imperva. The Syrian Electronic Army is very successful in creating the awareness that they are after.”
But this new development continues a recent trend for more sophisticated and complex SEA operations. Until a couple of months ago, SEA was best known for hacking Twitter accounts and posting pro-regime tweets, often with a humorous element. More recently it hacked “international communications websites such as TrueCaller, Tango, and Viber, which could give Syrian intelligence access to the communications of millions of people – including real human beings who are vulnerable to espionage, intimidation, and/or arrest,” notes a FireEye blog.
Hacking MelbourneIT is another level again. Firstly, Matthew Prince at CloudFlare points out that “MelbourneIT has traditionally been known as one of the more secure registrars.” Secondly, MelbourneIT did not seem to be able to immediately regain control from SEA. The NYT reported this morning, “The group attacked the company’s domain name registrar, Melbourne IT. The Web site first went down after 3 p.m.; once service was restored, the hackers quickly disrupted the site again.” It added that Marc Frons, NYT’s CIO, suggested that SEA’s earlier exploits compared to this is “sort of like breaking into the local savings and loan versus breaking into Fort Knox.”
The question now, with this new level of hacking, is will the SEA remain relatively ‘harmless.’ It certainly has the potential to deliver serious criminal damage rather than ‘just’ propaganda. Jaime Blasco, director at AlienVault explains the potential. “Hackers who successfully break into MelbourneIT’s systems (MelbourneIT serves as the registrar for some of the best known domain names on the internet, including Microsoft.com and Yahoo.com) could potentially redirect and intercept emails sent to addresses under certain domains. Users of sites that don’t begin with ‘https’ could have been fooled into entering passwords that could have been captured.”
CloudFlare also comments, “Technical teams from CloudFlare, OpenDNS and Google jumped on a conference call and discovered what appeared to be malware on the site to which the NYTimes.com site was redirected.” At a point in history where it seems increasingly possible or even likely that the US and some European countries including the UK and France are likely to use military force against the Assad regime in Syria, is SEA in the process of escalating its own behavior?