Syrian Electronic Army implicated in Twitter, New York Times attacks
The hacker group gets administrator privileges for Twitter's domain name record and also appears involved in a New York Times' Web site outage.
The Syrian Electronic Army apparently took control over the Twitter.com Web site address record Tuesday, the hacker group's latest attack on high-profile Internet sites.
The Twitter.com whois record, which lists the owner of the Web address names called domains, listed the owner's e-mail address as firstname.lastname@example.org. The site continued to function, however.
The New York Times' Web site went down on Tuesday afternoon, and the SEA is a suspect there, too. "Our initial assessment is that this is most likely the result of a malicious external attack," the Times said in a statement on Facebook. The Syrian Electronic Army is a suspect: Gawker published a screenshot of the newspaper's site that said, simply, "Hacked by SEA."
In an article, The New York Times said the problem occurred because of an attack on the domain name registrar it uses to keep control over the nytimes.com name.
"The New York Times Web site was unavailable to readers on Tuesday afternoon following an attack on the company's domain name registrar, Melbourne IT. The attack also required employees of The Times to stop sending out sensitive e-mails," the story said. "The Syrian Electronic Army, a hacker collective that supports the Syrian president, Bashar al-Assad, is believed to have attacked the sites or social media accounts of several prominent media organizations."
A tweet by Twitter user Official_SEA16 said, "Hi @Twitter, look at your domain, its owned by #SEA :)" https://twitter.com/Official_SEA16/statuses/372462339456380928
SEA has found Twitter to be a fruitful avenue of attack. In recent months, it's taken over the Twitter feeds of, the , , and .
Twitter said in a statement that it had problems displaying images on its service when the attack rerouted image-serving requests to somebody else's server.
At 20:49 UTC, our DNS provider experienced an issue in which it appears DNS [Domain Name Service] records for various organizations were modified, including one of Twitter's domains used for image serving, twimg.com. Viewing of images and photos was sporadically impacted. By 22:29 UTC, the original domain record for twimg.com was restored. No Twitter user information was affected by this incident.
CNET contacted The New York Times for comment and will update this story with its response.
The New York Times posted links on Facebook to articles with hard-coded numeric Internet addresses rather than the "nytimes.com" domain. Here's a Times story saying U.S. military options for action in Syria, for example. That numeric addresses still work suggests that the problem is with the Times' Domain Name System (DNS) record, which tells Web browsers what numeric Internet address to use to use for human-readable addresses like "nytimes.com."
Indeed, according to DNS records published by security expert Brian Krebs, the New York Times Internet addresses redirected to sea.sy addresses.
Although the SEA didn't get control over Twitter's Domain Name Server listing, which would have allowed it to redirect Twitter.com Web site traffic to a server with an IP address of its own choosing, it did get control of a secondary server used for Twitter.com graphics.
"Oh yeah, look at that. twimg[dot]com DNS records changed to http://m.sea.sy/mob.sea.sy also," Krebs said, posting a screenshot of the record. The twimg.com address is used to host images on Twitter.
Update, 4:13 p.m.: Added more information about the attack on The New York Times and a statement from Twitter.