Several prominent media sites and a few media-related Twitter feeds went down Tuesday following an apparent attack by the Syrian Electronic Army (SEA), the New York Times reported. Among the sites affected were the NYT itself, the Washington Post, the Financial Times, NPR, and Twitter feeds for Reuters, the AP and BBC Weather.
The Syrian Electronic Army, a group of hackers that promotes the Assad regime in Syria, is also taking responsibility for taking control of the media sites. Contemporaneous data from Internet registrars named the Syrian Electronic Army as the sites' administrator.
Media is going down.... | http://t.co/Gd1zB70v0g |http://t.co/8NUe7Cs2jm | http://t.co/QDdNdEuuVX |http://t.co/W9nmxo95PQ— SyrianElectronicArmy (@Official_SEA16) August 27, 2013
The NYT reported that its domain name registrar, Melbourne IT, was hacked as part of the attack.
“The credentials of a Melbourne IT reseller were used to access a reseller account on Melbourne IT’s systems,” said Tony Smith, general manager of corporate communications for Melbourne IT.
The DNS records of several domain names on that reseller account were changed including nytimes.com. After they were notified of the hack, Melbourne IT changed the affected DNS records back to the previous values, locked the records from further manipulations and changed the reseller credentials to prevent further modifications. They have yet to confirm the identity of the hacker.
David Ulevitch, the founder and CEO of OpenDNS, a cloud-delivered Internet security network, said that the SEA appeared to have compromised the registrar's security, thereby gaining the ability to redirect domain names to anywhere they wanted.
Melbourne IT is the registrar for many prominent media sites, including Twitter and ShareThis. “ShareThis can be threatening because you can establish code that they could execute that would steal users’ passwords and compromise embedded posts.” Ulevitch said.
The NYT encouraged employees to stop sending emails when they found out about the suspected hack in an effort to safeguard personal information.
OpenDNS was already blocking malicious Syrian Electronic Army IP addresses. OpenDNS users that tried to access the sites when they were first attacked would see a notification about malicious software, not because the New York Times was hosting malware, but because the IP address that was associated with the domain at the time was that of the SEA.
“We have moved to reset Twitter and the New York Times back to their settings even though the rest of the Internet hasn’t caught up yet,” Ulevitch said. NYT CTO Rajiv Pant encouraged readers who are having trouble reaching the site to use OpenDNS for now.
OpenDNS already boasts over 50 million users, and Ulevitch is anticipating an increase in users as a result of Tuesday’s massive hack.