The NY Times experienced an outage today for the second time in two weeks.  On August 14th, the issue was said to have been an internal issue.  But today, the issue was characterized as something more malicious.  And that may not be the only target, as it appears the Syrian Electronic Army may have compromised the registration records for the NY Times, Huffington Post UK and Twitter.

Eileen Murphy, VP of corporate communications at The New York Times, tweeted earlier that the outlet’s outage today was “most likely result of malicious external attack.”

Adrian Chen at Gawker posted that others noticed for a brief time, the NY Times site pointed to a Syrian Electronic Army domain and displayed a message that read, “Hacked by SEA.”

The New York Times is experiencing a outages today, and the anonymous hacktivists of the Syrian Electronic Army may have been the culprit. Computer security expert Matt Johansen, manager for the Threat Research Center at WhiteHat Security, noticed that during the outage that the New York Times’ website briefly pointed to a Syrian Electronic Army domain. (As of this writing, the domain has been fixed.)

sea-nyt2

Matt Johansen, head of the Threat Research Center at WhiteHat Security, offered clarification that the NY Times DNS appeared to have been pointing to an SEA name server.  He also noticed an issue with Twitter’s domain registration ownership.

Indeed, as I went to check on the Syrian Electronic Army’s Twitter account to see if they had claimed credit for the NY Times outage, there was a tweet that the Twitter domain registration ownership had been taken over by SEA.  It appears SEA may have been changing some WHOIS records.

Jaeson Schultz, whose bio says he does Threat Research Analysis and Communications work for Cisco Systems, tweeted that SEA appears as though it’s hosting new domains for the NY Times and Twitter on its IP.

And as I am still drafting this post, SEA just tweeted that “media is going down,” making references to the NY Times and the Huffington Post UK, as well as other Twitter domains.

Matthew Keys tweeted that Twitter is looking into the SEA’s claims.

All the details aren’t entirely clear yet, as this is still a developing story, but at this point, it appears the Syrian Electronic Army is certainly up to something.  Given that SEA is a pro-Assad group, such antics certainly wouldn’t be surprising with the latest controversy drawing criticisms against the Assad regime over alleged chemical attacks against the Syrian people.

SEA has had a history of targeting high profile Twitter accounts and social media accounts of media outlets, including those of Thomson Reuters, NPR, The Guardian, CBS, BBC, Reuters and Al-Arabiya, as well as the Financial Times, ITV News, The Onion and E!Online.

The situation is obviously a fluid one, so we’ll bring you updates if/as available.

UPDATES 8/27/2013 at 7:15pm ET:

Twitter issued the following statement:

At 20:49 UTC, our DNS provider experienced an issue in which it appears DNS records for various organizations were modified, including one of Twitter’s domains used for image serving, twimg.com. Viewing of images and photos was sporadically impacted. By 22:29 UTC, the original domain record for twimg.com was restored.  No Twitter user information was affected by this incident.

The NY Times said the issue was related to an attack on the company’s domain name registrar:

The New York Times Web site was unavailable to readers Tuesday afternoon after an online attack on the company’s domain name registrar, Melbourne IT. The attack also forced employees of The Times to stop sending out sensitive e-mails.

And NYT also indicated that the outlet issued a statement to employees:

Marc Frons, chief information officer for The New York Times Company, issued a statement at 4:20 p.m. warning employees that the disruption — which appeared to still be affecting the Web site more than two hours later — was the result of an external attack by “the Syrian Electronic Army or someone trying very hard to be them.” He advised employees to “be careful when sending e-mail communications until this situation is resolved.”

The domain name registrar may be a common denominator.

Additional information at TechCrunch, TheNextWeb and The Verge.

UPDATE 8:30pm ET:

Looks like SEA may be experiencing some problems of its own: “The domain name syrianelectronicarmy.com has been placed on registrar hold due to breaches of the Name.com registration agreement…”

And according to Matthew Keys, a SEA hacker confirmed Melbourne IT was compromised.

A hacker who goes by the name “The Shadow” confirmed to The Desk Tuesday evening that the group had compromised Melbourne IT, a serviced used by the NYTimes, Twitter and others to register web addresses.

UPDATE 9:10pm ET:

Melbourne IT says compromised login credentials of a reseller allowed the hackers to gain access.

From Financial Review, Melbourne IT attacked in NY Times, Twitter outage:

Australian web hosting firm Melbourne IT has confirmed an attack on its servers led to outages at the websites of The New York Times and Twitter overnight.

A spokesman for the Melbourne-based company said the login credentials of a reseller for the company had been compromised, allowing attackers to access servers and change key details that direct users to the correct websites.

[...]

“We are currently reviewing our logs to see if we can obtain information on the identity of the party that has used the reseller credentials, and we will share this information with the reseller and any relevant law enforcement bodies,” they said.

“We will also review additional layers of security that we can add to our reseller accounts.”

There is a synopsis of all of the above in my Cyber Beat Daily column at Breitbart.

 
 0 
 
 1