Times, Twitter Attacks Raise New Alarms
Could DNS Attacks Hide More Nefarious Threats?As victims of cyber-attacks on their domain name systems providers on Aug. 27, The New York Times, Twitter and the Huffington Post UK may have opened themselves and their customers to more nefarious attacks, a leading IT security expert says.
"A lot of times people use DNS attacks and DDoS [distributed denial of service] attacks to overwhelm the defenders and force them to try to get their data back up the way it was," says Tom Kellerman, vice president for cybersecurity at IT security provider Trend Micro. "But in doing that, they're actually facilitating the lateral movement of the adversary to conduct something like a watering hole attack."
A watering hole attack allows a hacker to tie malware to content, so when users access an article from a newspaper website or clicks on a link in a social network feed, they'll unwittingly download malware.
"There's an implicit trust people put into the media and social networking portals like Twitter," Kellerman says. "And that reality - that implicit trust - can be undermined not just by redirecting traffic as we seen here."
A Twitter posting claimed to be from the Syrian Electronic Army (SEA) said, "Media is going down ..." That was followed by the listing of the URLs for The Times and the British version of the Huffington Post.
In another SEA posting, the group said: "Hi @Twitter, look at your domain, its owned by #SEA :)" and posted a screen shot of what appeared to be the search results for Twitter's domain registry on the domain name registration database, Whois.DomainTools.com.
Twitter late Tuesday issued a statement saying its "DNS provider experienced an issue in which it appears DNS records for various organizations were modified, including one of Twitter's domains used for image serving, twimg.com. Viewing of images and photos was sporadically impacted." By Tuesday night, the statement says," the original domain record for twimg.com was restored. No Twitter user information was affected by this incident."
In a story posted on its website, the newspaper says the disruption was "the result of a malicious external attack" that also affected the sending of e-mail messages from the company's domain. The newspaper's CIO, Marc Frons, advised employees to "be careful when sending e-mail communications until this situation is resolved.
Frons says the attack was carried out by the Syrian Electronic Army, "or someone trying very hard to be them." The group attacked the company's domain name registrar, Melbourne IT. The website first went down after 3 p.m. ET on Aug. 27; once service was restored, the hackers quickly disrupted the site again. Shortly after 6 p.m., Frons said that "we believe that we are on the road to fixing the problem."
The Times bypassed the domain name registrar to restore service to readers by using a simple IP address: 170.149.168.130. According to the website Gizmodo, the IP address and content on the company's servers remain intact even though the domain name registrar is hijacked.
According to the Times, the Syrian Electronic Army is a group of hackers who support President Bashar al-Assad of Syria. A Twitter posting from Matt Johansen, head of the Threat Research Center at White Hat Security, said he was directed to a Syrian web domain when he tried to view the Times' website.
The Syrian Electronic Army appears to target media sites its members feel are biased against the Syrian government.
As a result of an apparent poison gas attack that killed hundreds of Syrian civilians last week, the Obama administration is pondering military intervention in Syria.