New York Times hacked, Syrian Electronic Army takes credit

Visitors to The New York Times website were greeted with blank browser screens for several hours on Tuesday, thanks to an attack claimed by the Syrian Electronic Army.

While the integrity of the Times’s website was not itself affected, those attempting to access that site through other servers around the world were redirected to Web addresses controlled by the SEA, several cybersecurity analysts told the Monitor.

At about the same time, Twitter and The Huffington Post UK edition were also the subject of cyberattacks apparently orchestrated by the SEA, according to Twitter accounts used by the SEA. Those attacks were confirmed separately by cybersecurity analysts contacted by the Monitor, who checked the SEA’s claims against Web addresses and Internet registrar sites.

Unlike the situation for the Times website, however, there were no immediately reported access problems for Twitter or Huffington Post users.

Analysts describe what happened to the Times as a DNS-type (or domain name system) attack. In such an attack, the website’s digital address is stolen from its rightful owner and then attached to a rogue site – in this case, the SEA home page, the analysts say.

“What The New York Times is trying to do is get their property back,” says John Bumgarner, a research director for the US Cyber Consequences Unit, a cybersecurity think tank. “Their website address was essentially stolen, hijacked away from them – and now The New York Times is scrambling to get full ownership back.”

It was the second time this month the Times site has gone down for an extended period, with the first time being attributed to internal technical server issues. Moreover, a hacker group also calling itself the Syrian Electronic Army claimed responsibility for a cyberattack that affected The Washington Post’s and CNN’s websites on Aug. 15.

The SEA is a political hacktivist group that has the backing of Syrian President Bashar al-Assad.

The New York Times confirmed that its site was unavailable to readers on Tuesday afternoon following a hacking attack on the company’s domain name registrar, Melbourne IT. Times employees were required not to send any sensitive e-mails.

“Marc Frons, chief information officer for The New York Times Company, issued a statement at 4:20 p.m. warning employees that the disruption – which appeared to still be affecting the Web site more than two hours later – was the result of an external attack by ‘the Syrian Electronic Army or someone trying very hard to be them,’ ” the Times reported. “He advised employees to ‘be careful when sending e-mail communications until this situation is resolved.”

Most would-be viewers to the Times website, however, did not end up at the SEA website. Access to that site was apparently cut off by browser companies trying to assist the Times, some analysts suggested.

The way DNS works is that whenever a computer contacts a domain name like nytimes.com, it first has to contact its DNS server. The DNS server responds with one or more IP addresses where that computer can reach nytimes.com. Then the computer can connect to the Times website through that numerical IP address.

Put another way, DNS changes people-readable addresses like nytimes.com into computer-readable IP addresses like “170.149.168.130.”

Just on Monday, visitors to Google’s Web page in the Palestinian territories – Google.ps – would have been redirected. Even though Google’s own service was not hacked, the DNS for the website was hijacked – by political hacktivists apparently protesting the labeling of some territory as Israeli on Google Maps. The attack was similar to the DNS hijacking of the Times website address, cybersecurity experts say.

“While the [Google] attack wasn't major, nor did it affect Google's own services, I think it highlights a serious issue in Internet infrastructure,” says Rodrigo Bijou, an independent cybersecurity consultant. “Major brands across all sectors need to secure domain names in foreign countries, and often the security of DNS registries is quite poor....  This was a basic protest attack by hacktivists, but more malicious actors could do the same with more serious consequences.”

Some analysts suggested that the attack on the Times might be a particularly dangerous variety called “DNS cache poisoning” or “DNS spoofing.” This exploits vulnerabilities in the DNS to redirect Internet traffic away from legitimate servers and toward fake sites.

One reason DNS poisoning is hazardous, Mr. Bijou and others say, is because it can spread from one DNS server to another around the world. One such DNS poisoning in 2010 resulted in the “Great Firewall of China” temporarily widening far beyond China’s borders.

However, other experts said that while there were signs of a DNS hijacking on Tuesday, the dangerous cache poisoning was not occurring. Also, there was no evidence of a suspected secondary distributed denial of service attack on the Times, according to experts at Arbor Networks in Burlington, Mass. A DDoS attack bombards a site with data to overwhelm servers and block user access.

"There has been no evidence of a DDoS attack being involved with the ongoing attacks against the New York Times,” said Dan Holden, Arbor Networks director of security research, in a statement. “There has also been no evidence of cache-poisoning being involved in this attack. This appears to be the latest in an ongoing series of registrar compromises.”

Wherever possible, he noted, organizations should ensure that their service providers adequately protect their DNS infrastructure from attack.

“We continue to see DNS infrastructure leveraged as a weak link and jumping off point for attacks,” he said.