Hackers from the Syrian Electronic Army have managed to hijack, deface and / or make unavailable the websites of The New York Times, Huffington Post UK and one of Twitter domains for image serving (twimg.com).
The attack started at approximately 3pm PST, and the NYT website was made to sport a notice proclaiming SEA’s responsibility for the hack.
But how did the group managed to successfully target these two big publications and one of the most popular social networking service on the Internet?
The answer is that they did it through Melbourne IT, an Australian domain name registrar that counts the NYT and Twitter as their customers.
“The credentials of a Melbourne IT reseller (username and password) were used to access a reseller account on Melbourne IT’s systems. The DNS records of several domain names on that reseller account were changed – including nytimes.com,” explained the registrar once it discovered what happened.
“Once Melbourne IT was notified, we changed the affected DNS records back to their previous value, locked the affected records from any further changes at the .com domain name registry, and changed the reseller credentials so no further changes can be made.”
“We have now identified that a targeted phishing attack was used to gain access to the credentials of users of a Melbourne IT reseller account. We have obtained a copy of the phishing email and have notified the recipients of the phishing email to update their passwords. We have also temporarily suspended access to affected user accounts until passwords have been changed,” they also shared.
“The attacks on Twitter and the Times seem like annoyances, but they are not. In part, they are further confirmation of the hacking prowess of the Syrian Electronic Army (SEA),” commented Kenneth Geers, Senior Global Threat Analyst at FireEye.
“This attack aligns with a theme that we see from the SEA — specifically, they appear to be going after media organization’s ‘supply chains’, so to speak. Rather than attacking a large firm directly, SEA is opting to identify weaker links between the firm and other partnering organizations that they use for business operations. This is because the victim firm may not have as much control over the operational security employed by the partners, so the partners are an easier target to focus on.”
“This attack is quite similar to the Washington Post compromise by SEA; in that instance, SEA compromised a third party AD network provider that does business with the Washington Post, which was their weak link in their supply chain. For NYTimes, it’s a different weak link, but the same concept applies.”
Sam Erdheim, Senior Security Strategist at AlgoSec, advised organizations that are connected to other networks to segment the network and filter traffic better to limit exposure from attacks.
“And while it seems less likely in this specific interest, as part of the incident response plan, organizations should make sure that in addition to bringing things back online and remediating the ‘loud’ threat that there is no ‘silent’ threat still lurking in the network and siphoning off valuable information,” he pointed out.
Judging by the tweets posted on the current Twitter account of the hacker group, these specific sites have been attacked “in the name of Syria and Bashar al Assad.”
Both Twitter and Huffington Post UK are back to their usual business, but the NYT site is still unavailable or difficult to reach – depending on when you try to access it.