28 Aug 2013

Syrian Electronic Army pulls off ‘Fort Knox’ hack

Pro-Assad hackers take the New York Times offline and disrupt Twitter. Experts say they could have carried out one of the biggest cyberattacks ever seen.

New York Times office (Reuters)

The Syrian Electronic Army (SEA) claimed responsibility for an attack on the New York Times website which took the newspaper’s website out of action for several hours on Tuesday, with users seeing nothing but error messages.

NYTimes.com redirected visitors to a server controlled by the group before it went down.

The anonymous hackers warned “Media is going down…” in a Twitter message before the site went down. The Syrian Electronic Army also said it had taken over Twitter and the Huffington Post UK.

At one point Twitter’s whois record listed the owner of the website’s email address as sea@sea.sy, but the changes did not appear to seriously affect the social media site.

But there appeared to be little disruption to other sites. Twitter said in a blog post: “It appears DNS (domain name system) records for various organizations were modified, including one of Twitter’s domains used for image serving, Twimg.com. Viewing of images and photos was sporadically impacted.”

Analysts said the sophisticated hack got to the target websites through Melbourne IT, the Australian registrar for well-known domain names like Microsoft.com and Yahoo.com. The impact could have been enormous.

Jaeson Schultz, a Cisco Systems researcher, said the SEA hackers listed themselves as the contact for all of Twitter.com, which would have given them the power to take the site offline or place their own content there.

This could’ve been one of the biggest attacks we’ve ever seen, if they were more subtle and more efficient about it. HD Moore

HD Moore, chief research officer at security firm Rapid7 said: “This could’ve been one of the biggest attacks we’ve ever seen, if they were more subtle and more efficient about it.

“They changed just a few sites, but if they had actually gone all out, they could’ve had most of the Internet watching them run the show.”

Marc Frons, chief information officer at The New York Times, said: “In terms of the sophistication of the attack, this is a big deal. It’s sort of like breaking into the local savings and loan versus breaking into Fort Knox.

“A domain registrar should have extremely tight security because they are holding the security to hundreds if not thousands of websites.”

A domain registrar should have extremely tight security because they are holding the security to hundreds if not thousands of websites. Marc Frons

A hacker using a known SEA email address told the Associated Press: “We did hit Melbourne IT.”

Computer forensics from security firm Renesys Corp traced the hack to the same internet protocol addresses used by the SEA website sea.sy, which has been hosted from Russia since June.

Syrian Electronic Army Twitter feed

Sophisticated hack

Melbourne IT said two staff members at a US-based domain agent opened a fake email asking for their login details during the last week.

One staff member was the direct manager of the NYTimes domain, along with other media companies and had the login and password information of the company in his email, which the hackers accessed.

Theo Hnarakis, chief executive of Melbourne IT, said: “This activist group used a very, very sophisticated spear phishing attack.

“They sent very dubious emails to staff of one of our resellers whose area of expertise is looking after the domain names for major corporates including the New York Times.

“Unfortunately, a couple of the staff members of the reseller responded by giving their email log-in details. The group were able to search their emails for sensitive information that included the user name and password for the New York Times, and from there it all cascades.

“We don’t put this down to a technical failure. We put it down to human error where someone has inadvertently provided their information and from there, a major a site like the New York Times was down for several hours.”

Mr Hnarakis confirmed that other media organisations were also attacked, but the hack was foiled by a “registry lock”, an additional security measure which the New York Times had decided not to use.

Melbourne IT’s chief technology officer Bruce Tonkin said: “If they had had the security option turned on, they wouldn’t have been affected.

“We do have a security mechanism that would protect the names from this sort of attack. Naturally, we are reviewing security and doing an incident review and will probably add some additional security.”

Other analysts said the SEA used a technique called “DNS hijacking”, where hackers gain control of numerical IP addresses so they can redirect users trying to access the New York Times or Twitter to a rogue server.

Such attacks can be extremely effective, as they bypass a website’s internal security systems, but they are preventable if web administrators meticulously check all code coming into their site from third parties.

Campaign of cyberattacks

A website bearing the SEA name first appeared in 2011, within weeks of the outbreak of the Syrian civil war.

While the group supports the rule of President Bashar al-Assad, it claims it is not affiliated to the Syrian government.

But Assad acknowledged the work of the hackers in a speech in June 2011, when he said: “There is the electronic army, which has been a real army in virtual reality.”

In recent months the SEA has claimed responsibility for attacks on Channel 4 News, the New York Times, CNN, Time, the Washington Post, CBS News, Al-Jazeera English and the BBC.

A false tweet about a bomb attack on US President Barack Obama posted by hackers on the Associated Press Twitter feed caused the Dow Jones share index to lose $140 billion in 90 seconds earlier this year.

The group appears to target media organisations who have written negative stories about the Assad regime. The hackers have posted pro-Assad messages and stories on media sites as well as redirecting users to their own website for news about Syria.

The New York Times quickly set up alternative websites on Tuesday and continued to post stories about the Assad regime launching chemical attacks in Syria. “Not Easy to Hide a Chemical Attack, Experts Say,” was the headline of one. The main website was back up by Wednesday morning.

Michael Fey, chief technology officer at cybersecurity firm McAfee, said: “Regardless of technology or tactics deployed, we should expect to see more of these attacks.”

Anti-war message

On its Twitter feed, the SEA said: “The @nytimes attack was going to deliver an anti-war message but our server couldn’t last for 3 minutes.”

The group posted a link to the “anti-war” statement, which denied that the Assad regime was responsible for last week’s apparent nerve gas attack on rebel-held suburbs of Damascus.

The statement says: “A few days ago, these powers conspired to frame the army as if it was using chemical weapons when it was advancing and winning against their al-Qaeda tools.

“The Syrian army, which has lost tens of thousands of soldiers who were defending their homeland with nothing more than a rifle, would never have been the one to use chemical weapons.”

It goes on: “Have you not seen this movie before? Do you not remember Colin Powell’s dodgy WMD dossier? Do you not see that Cameron is a clone of Blair? And Obama is a clone of Bush, with a different shade? The world must not make this mistake again, for Syria is not Iraq.”