It’s been revealed that yesterday’s attack by the Syrian Electronic Army on the New York Times and Twitter websites was in fact part of a higher level attack on the MelbourneIT domain registrar – meaning the SEA had total control over redirecting visitors to the NYTimes, Twitter and Huffington Post to an SEA controlled website.
What seems to have happened is that the SEA had compromised the MelbourneIT registrar, gaining control of the admin control panel, allowing it to effectively hijack entire websites by simply editing the records to point to their own domain instead of the correct websites.
It also meant, obviously, that the New York Times was potentially not the only affected website – and AlienVault has compiled a list of domains that it found pointing to a SEA server. Apart from the NYT, the list also includes twitter.co.uk, huffingtonpost.co.uk, sharethis.com and twimg.com.
With reference to the last, Twitter issued a service status report late yesterday: "At 20:49 UTC, our DNS provider experienced an issue in which it appears DNS records for various organizations were modified, including one of Twitter’s domains used for image serving, twimg.com. Viewing of images and photos was sporadically impacted. By 22:29 UTC, the original domain record for twimg.com was restored. No Twitter user information was affected by this incident."
It appears that the attack was typical SEA hacktivism – the primary purpose to publicize its political support for the Bashar Al-Assad regime in Syria.
"There is no profit involved – however making all of us aware of the Syrian rebellion is their goal," explains Barry Shteiman, senior security strategist at Imperva. The Syrian Electronic Army is very successful in creating the awareness that they are after."
However, this new development sees a continued trend for more sophisticated and complex SEA operations. It wasn’t that long ago that the SEA were simply hacking Twitter accounts and posting pro-Assad tweets, often with a humorous element. Recently, though, it hacked international communications websites such as TrueCaller and Tango which could have potentially given Syrian Intelligence access to the communications of millions of people.
But hacking MelbourneIT is another level again.
Firstly, Matthew Prince at CloudFlare points out that "MelbourneIT has traditionally been known as one of the more secure registrars." Secondly, MelbourneIT did not seem to be able to immediately regain control from SEA. The NYT reported this morning, "The group attacked the company’s domain name registrar, Melbourne IT. The Web site first went down after 3 p.m.; once service was restored, the hackers quickly disrupted the site again." It added that Marc Frons, NYT’s CIO, suggested that SEA’s earlier exploits compared to this is "sort of like breaking into the local savings and loan versus breaking into Fort Knox."
The question now, with this new level of hacking, is will the SEA remain relatively ‘harmless.’ It certainly has the potential to deliver serious criminal damage rather than ‘just’ propaganda. Jaime Blasco, director at AlienVault explains the potential. "Hackers who successfully break into MelbourneIT’s systems (MelbourneIT serves as the registrar for some of the best known domain names on the internet, including Microsoft.com and Yahoo.com) could potentially redirect and intercept emails sent to addresses under certain domains. Users of sites that don’t begin with ‘https’ could have been fooled into entering passwords that could have been captured."
CloudFlare also comments, "Technical teams from CloudFlare, OpenDNS and Google jumped on a conference call and discovered what appeared to be malware on the site to which the NYTimes.com site was redirected."
At a point in history where it seems increasingly possible or even likely that the US and some European countries including the UK and France are likely to use military force against the Assad regime in Syria, is SEA in the process of escalating its own behavior?