Baidu DNS records hijacked by Iranian Cyber Army

Earlier today, the DNS records of China's most popular search engine Baidu were hijacked by a group known as the "Iranian Cyber Army", and the portal redirected to a web server featuring a message "protesting the military intervention of foreign and Israeli sites in our internal affairs division and distribution of false news".

The DNS hijacking appears to have taken place using the same social engineering elements used in the DNS hijacking of Twitter.com in December, 2009, again orchestrated by the same hacking group.

However, what the "Iranian Cyber Army" wasn't fully aware of, is the fallout of hijacking the DNS records of China's largest search engine - in this case the response of a highly developed collectivist hacking community (Honker Union For China), which has already started to hack and deface Iranian web sites.

"China's largest search engine, Baidu.com, confirmed Tuesday its website had been temporarily paralyzed after coming under cyber-attack, and an expert on network security warned major websites of domain name server (DNS)protection against hackers. Baidu.com resumed operation at 11:30 a.m. after being down for three and a half hours. The company said later in a statement that Baidu's DNS in the United States was illegally attacked, without giving more information.

Wang Zhantao, an expert with Beijing Rising International Software Co. Ltd., said hackers were increasingly getting used to attacking domain name servers of major websites because they were a chink in cyber security systems. "Many websites like Baidu have almost perfect inner security system, but their DNS security is up to domain name registers," Wang said."

How did the "Iranian Cyber Army" do it? By successfully social engineering the domain registrar, or the domain registrant in this case a Baidu employee with access to the control panel, the attackers were able to direct the traffic to any location of their choice.

The same tactic used in some of the most notable DNS hijackings that took place over the past two years, proving that an old-fashioned attack vector in cases where the attacker cannot compromise the site itself, remains fully working.

Ironically, in June 2009, Twitter which had its DNS records hijacked by the "Iranian Cyber Army", played a key role in helping the Iranian opposition organize a crowdsourcing DDoS (Iranian opposition launches organized cyber attack against pro-Ahmadinejad sites), which managed to shut down key government web sites without the reliance on any botnet.

• Go through related DNS hijacking incidents: Comcast's DNS records hijacked, redirect to hacked page (2008); How was Comcast.net hijacked? (2008); Photobucket's DNS records hijacked by Turkish hacking group (2008); ICANN and IANA's domains hijacked by Turkish hacking group (2009); Hackers hijack DNS records of high profile New Zealand sites (2009)

The response from a well known Chinese hacktivist group, the Honker Union of China, came shortly with an ongoing campaign to hack and deface Iranian web sites in order to "let the world hear the voice of China" and "defend the country's dignity across the world".

Just like we've already seen the tactic used in 2008's "Coordinated Russia vs Georgia cyber attack in progress", the Chinese hacktivists are already distributing a list consisting of high-profile Iran government web sites as a potential targets.

Next -->

The exact messages found on six currently defaced web sites (ksh-behzisty.gov .ir; iribu .ir; diabetes .ir; room98 .ir; irun .ir; behdasht.gov .ir) :

• I'm very sorry for this Testing! Because of this morning your Iranian Cyber Army Maybe you haven't konw this thing! This morning your Iranian Cyber Army intrusion our baidu.com So i'm very unfortunate for you Please tell your so-called Iranian Cyber Army Don't intrusion chinese website about The United States authorities to intervene the internal affairs of Iran's response This is a warning! Khack by toutian...from...Honker Union For China
• Rini Ma Iranian chicken child, the small A coming, Iranian chicken child, your mother in Iraq for a P, go back to Iraq, your mother, he committed me, "Baidu," I f*** you mother QQ409882525
• {We are Chinese hackers} {Chinese people are hacking} {The Chinese are a bad bully, small JB Iran}

Related screenshots from the defaced sites in response to the DNS hijacking of Baidu.com:

The DNS hijacking affected the site for a period of three and a half hours, which according to Xinhua news agency results in the longest downtime period since December 2006.

Interestingly, several questions remain unanswered. For instance, just because a hacking group describes itself as the "Iranian Cyber Army", writes in Farsi and leaves propaganda messages, does it automatically mean that the group is indeed of Iranian origin?

And even if it is, how long before the world starts taking seriously a group describing itself as "North Korea's Cyber Army", as a government-funded hacking team, the implications of which could be pretty serious on an international level?

What do you think? Talkback.