(Removes incorrect reference to microsoft.com and yahoo.com as
MelbourneIT customers in 19th paragraph)
By Gerry Shih and Joseph Menn
SAN FRANCISCO Aug 28 Media companies, including
the New York Times, Twitter and the Huffington Post,
lost control of some of their websites Tuesday after hackers
supporting the Syrian government breached the Australian
Internet company that manages many major site addresses.
The Syrian Electronic Army (SEA), a hacker group that has
attacked media organizations it considers hostile to Syrian
President Bashar al-Assad, claimed credit for the Twitter and
Huffington Post hacks in a series of Twitter messages.
Security experts said electronic records showed that
NYTimes.com, the only site with an hours-long outage,
redirected visitors to a server controlled by the Syrian group
before it went dark.
New York Times Co spokeswoman Eileen Murphy tweeted the
"issue is most likely the result of a malicious external
attack," based on an initial assessment.
The Huffington Post attack was limited to the blogging
platform's British web address. Twitter said the hack led to
availability issues for 90 minutes but that no user information
The attacks came as the Obama administration considers
taking military action against the Syrian government, engaged in
a civil war against rebels for more than two years.
In August, hackers promoting the Syrian Electronic Army
targeted websites belonging to CNN, Time and the Washington Post
by breaching a third party service used by those sites.
The SEA managed to gain control of the sites by penetrating
MelbourneIT, an Australian Internet service provider that sells
and manages domain names including Twitter.com and NYTimes.
The New York Times, which identified MelbourneIT as its
domain name registrar and the main hacking victim, told
employees not to send sensitive emails from corporate accounts.
MelbourneIT tracked the breach to an Indian Internet service
provider, saying two staff members from one of their resellers
opened a fake email seeking login details.
"The SEA went after the company specifically to create a
high-profile event," CEO Theo Hnarakis told Reuters. "This was
quite a sophisticated attack."
One staff member was the direct manager of the NYTimes
domain along with other media companies and had the login and
password information of the company in his email, which the
Hnarakis confirmed that other media organizations were also
attacked, but this proved unsuccessful as their customers used a
secondary security measure known as a registry lock.
MelbourneIT said it restored the correct domain name
settings, changed the password on the compromised account, and
locked the records to prevent further alterations.
Twitter did not respond to requests for comment. In a blog
post, the company said "it appears DNS (domain name system)
records for various organizations were modified, including one
of Twitter's domains used for image serving, Twimg.com. Viewing
of images and photos was sporadically impacted."
HACKERS LIMITED TARGETS, SAY EXPERTS
Jaeson Schultz, a Cisco Systems researcher, said that in the
authoritative records known as WHOIS the Syrian Electronic Army
listed itself as the contact for all of Twitter.com, which would
have given it the power to take the site offline or place its
own content there.
"It seems that their message is redirecting people back to
their own website for news about the SEA or about Syria,"
Schultz said. "They don't seem to be interested in infecting end
users, which is a good thing."
Hackers who successfully break into MelbourneIT's systems
could potentially redirect and intercept emails sent to
addresses under certain domains, researchers said. And users of
sites that do not begin with "https" could have been fooled into
entering passwords that could have been captured, said Jaime
Blasco, a researcher with security firm AlienVault.
Because MelbourneIT serves as the registrar for some of the
best known domain names on the Internet, Tuesday's breach could
have had potentially catastrophic consequences.
"This could've been one of the biggest attacks we've ever
seen, if they were more subtle and more efficient about it,"
said HD Moore, the chief research officer at Rapid7, a cyber
security firm. "They changed just a few sites, but if they had
actually gone all out, they could've had most of the Internet
watching them run the show."
Media companies, largely ignored by hackers until 2011, have
since been targeted by pranksters and suspected Chinese agents,
as well as partisans in the Middle East.
(Additional reporting by Michael Sin in Sydney; Editing by
Michael Perry, Eric Walsh, Ron Popeski and Phil Berlowitz)