Earlier today, the DNS records of China’s most popular search engine Baidu were hijacked by a group known as the “Iranian Cyber Army”, and the portal redirected to a web server featuring a message “protesting the military intervention of foreign and Israeli sites in our internal affairs division and distribution of false news“.
The DNS hijacking appears to have taken place using the same social engineering elements used in the DNS hijacking of Twitter.com in December, 2009, again orchestrated by the same hacking group.
However, what the “Iranian Cyber Army” wasn’t fully aware of, is the fallout of hijacking the DNS records of China’s largest search engine - in this case the response of a highly developed collectivist hacking community (Honker Union For China), which has already started to hack and deface Iranian web sites.
“China’s largest search engine, Baidu.com, confirmed Tuesday its website had been temporarily paralyzed after coming under cyber-attack, and an expert on network security warned major websites of domain name server (DNS)protection against hackers. Baidu.com resumed operation at 11:30 a.m. after being down for three and a half hours. The company said later in a statement that Baidu’s DNS in the United States was illegally attacked, without giving more information.
Wang Zhantao, an expert with Beijing Rising International Software Co. Ltd., said hackers were increasingly getting used to attacking domain name servers of major websites because they were a chink in cyber security systems. “Many websites like Baidu have almost perfect inner security system, but their DNS security is up to domain name registers,” Wang said.”
How did the “Iranian Cyber Army” do it? By successfully social engineering the domain registrar, or the domain registrant in this case a Baidu employee with access to the control panel, the attackers were able to direct the traffic to any location of their choice.
The same tactic used in some of the most notable DNS hijackings that took place over the past two years, proving that an old-fashioned attack vector in cases where the attacker cannot compromise the site itself, remains fully working.
Ironically, in June 2009, Twitter which had its DNS records hijacked by the “Iranian Cyber Army”, played a key role in helping the Iranian opposition organize a crowdsourcing DDoS (Iranian opposition launches organized cyber attack against pro-Ahmadinejad sites), which managed to shut down key government web sites without the reliance on any botnet.
- Go through related DNS hijacking incidents: Comcast’s DNS records hijacked, redirect to hacked page (2008); How was Comcast.net hijacked? (2008); Photobucket’s DNS records hijacked by Turkish hacking group (2008); ICANN and IANA’s domains hijacked by Turkish hacking group (2009); Hackers hijack DNS records of high profile New Zealand sites (2009)
The response from a well known Chinese hacktivist group, the Honker Union of China, came shortly with an ongoing campaign to hack and deface Iranian web sites in order to “let the world hear the voice of China” and “defend the country’s dignity across the world“.
Just like we’ve already seen the tactic used in 2008’s “Coordinated Russia vs Georgia cyber attack in progress“, the Chinese hacktivists are already distributing a list consisting of high-profile Iran government web sites as a potential targets.
Next –>
