Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

NY Times Caught In Syrian Hacker Attack

Hacks amount to "warning shots," threatening more widespread cyberattacks should the U.S. and allies launch military campaign against Syria, warns security expert.

The Syrian Electronic Army: 9 Things We Know
(click image for larger view)
The Syrian Electronic Army: 9 Things We Know
The Syrian Electronic Army (SEA) Tuesday hacked nine websites, including The New York Times, Twitter and Twitter's image service Twimg. Some visitors to the affected sites were redirected to hacker-controlled servers that attempted to launch drive-by malware attacks.

Throughout Tuesday and into Wednesday, many of the hacked sites remained unavailable or intermittently accessible, as a battle unfolded between hackers and site owners, with each attempting to wrest control from the other by adjusting the domain name system (DNS) settings for the hacked sites. Website disruptions varied geographically, complicated by DNS registries in different parts of the world receiving updates at different intervals.

The affected domain names were all registered through Australia-based Melbourne IT, which confirmed Wednesday that its systems had been compromised by hackers. The company said Wednesday that it had restored the hacked DNS credentials, locked those records to prevent further changes, disabled the legitimate account credentials that hackers had used to access its systems, and continued to investigate the intrusion.

The hack attacks come as the United States and its allies -- including the Arab League, Australia, Britain, France, Italy, Saudi Arabia and Turkey -- debate launching a military intervention in Syria in response to a large-scale chemical attack last Wednesday in the suburbs of Damascus. The attack, which killed hundreds of people, has been attributed to the regime of Syrian President Bashar al-Assad, although the government has denied that allegation.

[ What caused last week's stock exchange outage? Read Nasdaq Outage Explored: 7 Facts. ]

Sean Sullivan, security advisor at F-Secure Labs, said the SEA's Tuesday hacks amounted to online "warning shots" directed at the United States. "Bottom line: if the United States launches a cruise missile at Syria ... there will definitely be a 'cyber' response," he tweeted Wednesday.

The SEA has previously hacked media outlets' websites and Twitter feeds for advancing what it sees as a negative view of the Syrian regime. Victims have included the Associated Press, CBS News, NPR, the BBC and satire site The Onion.

As of Wednesday morning, the SEA's own website remained unavailable, suggesting that it was the focus of a distributed denial of service attack.

The first signs of the SEA's Tuesday DNS hack campaign appeared when the Times website became unreachable. Shortly thereafter, Times spokeswoman Eileen Murphy said in a tweet that the website disruption "is most likely result of malicious external attack." The Times later released more details, although as of Wednesday morning its site -- and that article -- remained largely unreachable.

The Times website's DNS settings as well as some registration details were compromised by hackers Tuesday, with the "admin name" altered to read "SEA," address changed to "Syrian Arab Republic" and email changed to "[email protected]" Connecting directly to one of the Apache servers used by the Times returned a message that read "Hacked by SEA" before the connection was closed, the SANS Institute reported Tuesday.

The SEA Tuesday also claimed credit for the attacks via Twitter. "Hi @Twitter, look at your domain, its owned by #SEA :)" read one tweet, which linked to Whois details for the Twitter domain listing "SEA SEA" as the admin name. After compromising the DNS settings of the various websites, the SEA rerouted some website visitors to hacker-controlled servers, and may have also intercepted email and traffic heading to and from the affected domains. "All three domains use Melbourne IT as their domain registrar. Once access to the registrar is obtained, the SEA can redirect all DNS, email and Web traffic going to these sites to a server of their choosing," HD Moore, chief research officer at Rapid7, told Threatpost.

Previous
1 of 2
Next
Comment  | 
Print  | 
More Insights
Comments
Oldest First  |  Newest First  |  Threaded View
Lorna Garey
50%
50%
Lorna Garey,
User Rank: Ninja
8/28/2013 | 4:23:24 PM
re: NY Times Caught In Syrian Hacker Attack
Why isn't locking the default for any DNS entry? Or at the very least, shouldn't there be a check in place requiring two signoffs?
Thomas Claburn
50%
50%
Thomas Claburn,
User Rank: Ninja
8/29/2013 | 2:34:42 AM
re: NY Times Caught In Syrian Hacker Attack
That would require work on the part of the registrar.
Lorna Garey
50%
50%
Lorna Garey,
User Rank: Ninja
8/29/2013 | 5:55:15 PM
re: NY Times Caught In Syrian Hacker Attack
So is cleaning up this mess - do you think there will be changes made by registrars as a result? Or, that at least customers should demand checks on their entries?
COVID-19: Latest Security News & Commentary
Dark Reading Staff 6/3/2020
Data Loss Spikes Under COVID-19 Lockdowns
Seth Rosenblatt, Contributing Writer,  5/28/2020
Abandoned Apps May Pose Security Risk to Mobile Devices
Robert Lemos, Contributing Writer,  5/29/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
How Cybersecurity Incident Response Programs Work (and Why Some Don't)
This Tech Digest takes a look at the vital role cybersecurity incident response (IR) plays in managing cyber-risk within organizations. Download the Tech Digest today to find out how well-planned IR programs can detect intrusions, contain breaches, and help an organization restore normal operations.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-13777
PUBLISHED: 2020-06-04
GnuTLS 3.6.x before 3.6.14 uses incorrect cryptography for encrypting a session ticket (a loss of confidentiality in TLS 1.2, and an authentication bypass in TLS 1.3). The earliest affected version is 3.6.4 (2018-09-24) because of an error in a 2018-09-18 commit. Until the first key rotation, the TL...
CVE-2020-10548
PUBLISHED: 2020-06-04
rConfig 3.9.4 and previous versions has unauthenticated devices.inc.php SQL injection. Because, by default, nodes' passwords are stored in cleartext, this vulnerability leads to lateral movement, granting an attacker access to monitored network devices.
CVE-2020-10549
PUBLISHED: 2020-06-04
rConfig 3.9.4 and previous versions has unauthenticated snippets.inc.php SQL injection. Because, by default, nodes' passwords are stored in cleartext, this vulnerability leads to lateral movement, granting an attacker access to monitored network devices.
CVE-2020-10546
PUBLISHED: 2020-06-04
rConfig 3.9.4 and previous versions has unauthenticated compliancepolicies.inc.php SQL injection. Because, by default, nodes' passwords are stored in cleartext, this vulnerability leads to lateral movement, granting an attacker access to monitored network devices.
CVE-2020-10547
PUBLISHED: 2020-06-04
rConfig 3.9.4 and previous versions has unauthenticated compliancepolicyelements.inc.php SQL injection. Because, by default, nodes' passwords are stored in cleartext, this vulnerability leads to lateral movement, granting an attacker access to monitored network devices.