The NY Times experienced an outage today for the second time in two weeks. On August 14th, the issue was said to have been an internal issue. But today, the issue was characterized as something more malicious. And that may not be the only target, as it appears the Syrian Electronic Army may have compromised the registration records for the NY Times, Huffington Post UK and Twitter.
Eileen Murphy, VP of corporate communications at The New York Times, tweeted earlier that the outlet’s outage today was “most likely result of malicious external attack.”
re: http://t.co/BQE1fJ3uLx – initial assessment – issue is most likely result of malicious external attack. working to fix
— Eileen Murphy (@NYTeileen) August 27, 2013
Adrian Chen at Gawker posted that others noticed for a brief time, the NY Times site pointed to a Syrian Electronic Army domain and displayed a message that read, “Hacked by SEA.”
The New York Times is experiencing a outages today, and the anonymous hacktivists of the Syrian Electronic Army may have been the culprit. Computer security expert Matt Johansen, manager for the Threat Research Center at WhiteHat Security, noticed that during the outage that the New York Times’ website briefly pointed to a Syrian Electronic Army domain. (As of this writing, the domain has been fixed.)
Matt Johansen, head of the Threat Research Center at WhiteHat Security, offered clarification that the NY Times DNS appeared to have been pointing to an SEA name server. He also noticed an issue with Twitter’s domain registration ownership.
Just to clarify. NYTimes DNS was pointing to an SEA name server. Twitters domain registration ownership information seems compromised.
— Matt Jay (@mattjay) August 27, 2013
Indeed, as I went to check on the Syrian Electronic Army’s Twitter account to see if they had claimed credit for the NY Times outage, there was a tweet that the Twitter domain registration ownership had been taken over by SEA. It appears SEA may have been changing some WHOIS records.
Hi @Twitter, look at your domain, its owned by #SEA 🙂 http://t.co/ZMfpo1t3oG pic.twitter.com/ck7brWtUhK
— SyrianElectronicArmy (@Official_SEA16) August 27, 2013
Jaeson Schultz, whose bio says he does Threat Research Analysis and Communications work for Cisco Systems, tweeted that SEA appears as though it’s hosting new domains for the NY Times and Twitter on its IP.
Syrian Electronic Army now hosting new domains on their IP. Domains belong to @NyTimes and @Twitter. pic.twitter.com/htv6TLAxJv
— Jaeson Schultz (@jaesonschultz) August 27, 2013
And as I am still drafting this post, SEA just tweeted that “media is going down,” making references to the NY Times and the Huffington Post UK, as well as other Twitter domains.
Media is going down…. | http://t.co/Gd1zB70v0g | http://t.co/8NUe7Cs2jm | http://t.co/QDdNdEuuVX | http://t.co/W9nmxo95PQ
— SyrianElectronicArmy (@Official_SEA16) August 27, 2013
@Twitter, are you ready? #SEA pic.twitter.com/MfOSYCZXGV
— SyrianElectronicArmy (@Official_SEA16) August 27, 2013
Matthew Keys tweeted that Twitter is looking into the SEA’s claims.
Twitter "looking into" claims that Syrian Electronic Army changed domain registration records – http://t.co/qR91t7PnME
— Matthew Keys (@MatthewKeysLive) August 27, 2013
All the details aren’t entirely clear yet, as this is still a developing story, but at this point, it appears the Syrian Electronic Army is certainly up to something. Given that SEA is a pro-Assad group, such antics certainly wouldn’t be surprising with the latest controversy drawing criticisms against the Assad regime over alleged chemical attacks against the Syrian people.
SEA has had a history of targeting high profile Twitter accounts and social media accounts of media outlets, including those of Thomson Reuters, NPR, The Guardian, CBS, BBC, Reuters and Al-Arabiya, as well as the Financial Times, ITV News, The Onion and E!Online.
The situation is obviously a fluid one, so we’ll bring you updates if/as available.
UPDATES 8/27/2013 at 7:15pm ET:
Twitter issued the following statement:
At 20:49 UTC, our DNS provider experienced an issue in which it appears DNS records for various organizations were modified, including one of Twitter’s domains used for image serving, twimg.com. Viewing of images and photos was sporadically impacted. By 22:29 UTC, the original domain record for twimg.com was restored. No Twitter user information was affected by this incident.
The NY Times said the issue was related to an attack on the company’s domain name registrar:
The New York Times Web site was unavailable to readers Tuesday afternoon after an online attack on the company’s domain name registrar, Melbourne IT. The attack also forced employees of The Times to stop sending out sensitive e-mails.
And NYT also indicated that the outlet issued a statement to employees:
Marc Frons, chief information officer for The New York Times Company, issued a statement at 4:20 p.m. warning employees that the disruption — which appeared to still be affecting the Web site more than two hours later — was the result of an external attack by “the Syrian Electronic Army or someone trying very hard to be them.” He advised employees to “be careful when sending e-mail communications until this situation is resolved.”
The domain name registrar may be a common denominator.
Additional information at TechCrunch, TheNextWeb and The Verge.
UPDATE 8:30pm ET:
Looks like SEA may be experiencing some problems of its own: “The domain name syrianelectronicarmy.com has been placed on registrar hold due to breaches of the Name.com registration agreement…”
Sorry, Our website will not be available for the next few hours, http://t.co/QIpcpKdgYp suspended our account #SEA pic.twitter.com/i1N8K8Q8vP
— SyrianElectronicArmy (@Official_SEA16) August 28, 2013
And according to Matthew Keys, a SEA hacker confirmed Melbourne IT was compromised.
A hacker who goes by the name “The Shadow” confirmed to The Desk Tuesday evening that the group had compromised Melbourne IT, a serviced used by the NYTimes, Twitter and others to register web addresses.
UPDATE 9:10pm ET:
Melbourne IT says compromised login credentials of a reseller allowed the hackers to gain access.
From Financial Review, Melbourne IT attacked in NY Times, Twitter outage:
Australian web hosting firm Melbourne IT has confirmed an attack on its servers led to outages at the websites of The New York Times and Twitter overnight.
A spokesman for the Melbourne-based company said the login credentials of a reseller for the company had been compromised, allowing attackers to access servers and change key details that direct users to the correct websites.
[…]
“We are currently reviewing our logs to see if we can obtain information on the identity of the party that has used the reseller credentials, and we will share this information with the reseller and any relevant law enforcement bodies,” they said.
“We will also review additional layers of security that we can add to our reseller accounts.”
There is a synopsis of all of the above in my Cyber Beat Daily column at Breitbart.
DONATE
Donations tax deductible
to the full extent allowed by law.
Comments
The NYT and HuffPo hacked. Well, color me outraged.
Yeah.
Interesting that virtually all of the websites they hacked are left wing. Perhaps that says something about their veracity as to Syria. We certainly know about their (lack of) veracity regarding everything else.
The enemy of my enemy is my friend and life at times can make for some very odd bedfellows.
Presumably they believe their own propaganda, and think that they’re all Zionists.
I wish them luck.
Hackers hack Hacks
hmmmmmmm……….
I’ve never been convinced the persons involved with the SEA have anything to do with Syria. Once in a while they’ll drop something that appears to confirm that cover story but that is just distraction. The most likely scenario is that they’re here in the u.s., were very well educated in american schools and have multiple degrees in social engineering. The way some of these attacks happened they must have had people on the ground close to the victims.
SEA? Take the E and move it to the left. Rotate it 90 degrees clockwise and what does it spell? NSA……where is the foil?
Um, actually that would spell MSA.
This can’t be stopped except by applying pressure at the attacker. The internet is based on trust, a determined attacker could take anyone down, even Google.
If they really wanted to screw with the NY Times, they’d slip in quietly and post a news story that contained actual news.
They have security software that prevents that.