New York Times hack linked to Australian internet company, Syrian Electronic Army fingered
Hacked: The New York Times website. Photo: Sari Dennise/Flickr
The New York Times, Twitter and the Huffington Post lost control of some of their websites after hackers supporting the Syrian government breached the Australian internet company that manages many major website addresses.
A "malicious external attack" on the reseller of internet company Melbourne IT saw the New York Times website go down for the second time in less than a month.
Melbourne IT, the New York Times' domain name registrar, was used early on Wednesday morning to access and modify the details of the newspaper's website. A domain name registrar is a company that manages internet domain names.
The New York Times said the registrar itself was attacked, with many pointing the finger at the hacker network Syrian Electronic Army.
But Melbourne IT said credentials of one of its resellers (the username and password) were used to access a reseller account on Melbourne IT's systems. The company had acted to fix the problem and change the reseller's credentials once they were aware of the attack. Resellers are the middleman between registrar and companies purchasing internet domains. They are responsible for updating and renewing clients' web records.
Melbourne IT chief executive Theo Hnarakis, who announced on Tuesday he would step down by the end of the year, told Fairfax Media he wasn't prepared to name the reseller but said it was based in the US.
"We're currently working with them to work out where the vulnerability is," he said. "We don't know if it happened through our systems or the reseller's systems."
He said he recommended as a standard practice that clients turn on registry "locks" for a small fee to prevent something similar from occurring. Locks are sold by domain registrars as an added security measure.
"We're talking about nickles and dimes compared to the value of the site," he said in terms of the cost.
"We are currently reviewing our logs to see if we can obtain information on the identity of the party that has used the reseller credentials," Melbourne IT spokesman Tony Smith told Fairfax. "We will share this information with the reseller and any relevant law enforcement bodies."
"We will also review additional layers of security that we can add to our reseller accounts," he added.
To prevent similar attacks, AusRegistry, another domain name registrar, recently launched a $1000-a-year service that locks down domain names so that their technical information cannot be changed. Called .AULockdown, it allows domain owners to bar automated changes to their domain at registrar level.
The 2012 hacking incident saw customer data from one of the servers it hosted for telco AAPT stolen by hacking group Anonymous and published online, while the breach resulted in it accidentally emailing 28,000 customers the details of other customers.
In addition to the New York Times, Melbourne IT has a number of other large clients, including Twitter and the AFL, which recently chose Melbourne IT to look after its application for owning the ".afl" domain suffix.
New York Times' chief information officer Marc Frons said the website outage was "the result of a malicious external attack by the Syrian Electronic Army, or someone trying very hard to be them". He also called for employees to be careful with their email communication during the attack.
A spokeswoman for the newspaper, Eileen Murphy, tweeted earlier that the "issue is most likely the result of a malicious external attack", based on an initial assessment.
re: http://t.co/BQE1fJ3uLx - initial assessment - issue is most likely result of malicious external attack. working to fix
Users started complaining of the website's outage about 3pm on Tuesday, US eastern time (5am Wednesday AEST).
About an hour later, the newspaper's main Twitter account said the website "is experiencing technical difficulties" but that news was still being published via Twitter and other links.
The New York Times Web site is experiencing technical difficulties. We are working on fully restoring the site.
Security researcher Matt Johansen of WhiteHat Security said in a tweet that the technical aspects of the website during the outage were pointing to Syrian Electronic Army, which has attacked several media organisations.
Darien Kindlund, manager of threat intelligence for cyber security firm FireEye, said the identity of the hackers could not be immediately confirmed but that the Syrian Electronic Army (SEA) was a likely suspect.
"However, it would not surprise us if it were the SEA – this would fit their motives," Kindlund said
"The Times is the most popular news website in America – with 30 million unique visitors each month – so downing it could be a propaganda coup for SEA," Kenneth Geers, senior global threat analyst for FireEye, said.
Identifying the culprits behind internet attacks is often difficult because of the relative ease with which they can hide their address by routing traffic through a web of networks.
Tuesday's outage was intermittent, with some users not having any troubles accessing the website. That sort of disparity is sometimes associated with a distributed denial-of-service attack, in which a hacker uses virus-infected computers to overwhelm a website with visits. As the website tries to handle the huge demand, it denies some visitors immediate access.
Cyber security firms have long found that denial-of-service attacks are a show of power on the internet. Though relatively simple to execute, they remain difficult to defend against.
The attack on the Times' website comes two weeks after it went offline for several hours on August 14 due to what the newspaper described as an internal server problem.
Global hacking group Anonymous also tweeted on Wednesday morning that the Huffington Post's British website had been hacked by the Syrian Electronic Army.
The Syrian Electronic Army also claimed responsibility for hacking into Twitter's domain name registry records early on Wednesday, claiming that they now "owned" Twitter's domain. Melbourne IT is also the domain name registrar for Twitter.
According to Whois.com, the Syrian Electronic Army was listed on the entries for Twitter's administrative name, technical name and email address.
"It seems that their message is redirecting people back to their own website for news about the SEA or about Syria," said Jaeson Schultz, a Cisco systems researcher. "They don't seem to be interested in infecting end users, which is a good thing."
Hackers who successfully break into Melbourne IT's systems could potentially redirect and intercept emails sent to addresses under certain domains, security researchers said. Users of sites that don't begin with "https" could have been fooled into entering passwords that could have been captured, said Jaime Balsco, a researcher with security firm AlienVault.
Because Melbourne IT serves as the registrar for some of the best known domain names on the internet, including Twitter, the breach could have had potentially catastrophic consequences.
"This could've been one of the biggest attacks we've ever seen, if they were more subtle and more efficient about it," said HD Moore, chief research officer at cyber security firm Rapid7. "They changed just a few sites, but if they had actually gone all out, they could've had most of the Internet watching them run the show."
Media companies, which were largely ignored by hackers until 2011, have been increasingly targeted by hackers.
"As long as media organisations play a critical role as influencers and critics, they will continue to be targets of cyber attacks," said Michael Fey, chief technology officer at Intel's McAfee security division.
Earlier this month, hackers promoting the Syrian Electronic Army – a group that backs embattled President Bashar al-Assad – simultaneously targeted websites belonging to CNN, Time and the Washington Post by breaching a third party service used by those sites.
The Times said in January that hackers stole its corporate passwords and accessed the personal computers of 53 employees after the newspaper published a report on the family fortune of China's Premier Wen Jiabao.
Dow Jones chief executive Lex Fenwick tweeted that Times rival The Wall Street Journal would temporarily remove its paywall and the website would be "free to all for a few hours".