How the Syrian Electronic Army took out the New York Times and Twitter sites

The short, snappy answer is: "All too easily." Here's how it appears to have happened.
Written by Steven Vaughan-Nichols, Senior Contributing Editor

Once more, the Syrian Electronic Army (SEA), a pro-Syrian strongman Bashar al-Assad organization, has struck on the internet.

This time, SEA hit The New York Times (NYT), Twitter, and other popular sites. Unlike previous attacks that relied on phishing attacks to gain password information from the target site's authorized users, SEA is using the weak security of the internet's master address book, the Domain Name System (DNS), to re-route internet traffic from its real destination to SEA-controlled sites.


What the SEA did was mindlessly simple. It simply compromised Melbourne IT, an Australian DNS register reseller, with a phishing attack. Once it had its hands on the reseller's credentials, the group simply logged in and changed the NYT and Twitter domain name records — that is, their addresses as far as your web browser and other internet programs are concerned.

A website's real address is usually an IPv4 (Internet Protocol version 4) numeric address, such as, which is an NYT address. Since people aren't likely to remember an address like that, or the even longer addresses used by IPv6, the next generation of IP addresses, DNS translates the IP addresses into human-readable ones, such as zdnet.com.

Tony Smith, Melbourne IT's general manager of corporate communications, admitted, "The DNS records of several domain names on that reseller account were changed, including nytimes.com."

Once this was done, these bogus IP addresses spread from one DNS server to another. The result was that over an approximately 24-hour period, the bad addresses spread throughout much of the world. This ensured that users went to fake websites instead of the real ones.

In the event, this part of the SEA's scheme failed. As the group tweeted, "The @nytimes attack was going to deliver an anti-war message but our server couldn't last for 3 minutes." These servers appear to be located in Russia, which is Syria's most important ally.

At this point, you might be asking yourself, "How could an Australian DNS reseller possibly change the DNS records for the NYT around the world?" The answer is: Easily.

DNS was never designed with security in mind. While some weaknesses, such as DNS cache poisoning, are being repaired with new programs such as Domain Name System Security Extensions (DNSSEC), others are still there.

Matthew Prince, CEO of CloudFlare, a web performance and security company, explained what happened in this case: After the hacked reseller account was used to change the IP addresses, the bogus addresses were automatically sent all the way up to the top-level domain (TLD) and then down to most of the other DNS services.

Fortunately, the problem was spotted quickly. The NYT, CloudFlare, OpenDNS, and Google started researching the problem, and tracked it back to Melbourne IT.

From where CloudFlare sits, and subsequent problems with Melbourne IT, it appears that SEA "hackers gained access to Melbourne IT's administrative control panel". From there, it was easy to change the DNS addresses.

It was simple because, as with most DNS providers and for most DNS records, there is no real security on DNS addresses. If someone comes along with what appears to be the right level of security, there's no double-checking to make sure that you are indeed the CTO of the NYT or Twitter or his or her authorized representative.

In short, if you break into a domain registry with the right login ID and password, you don't need to break into the site itself. You control where any visitors will go, while all the time they'll think they're going to the real site.

This is even more troubling because, as Prince wrote, "This was a very spooky attack. Melbourne IT is known for having higher security than most registrars."

So, what can you do? Some DNS resolver sites, such as OpenDNS, have a list of bad IP addresses and domain names, and automatically block "all requests that are coming from the known bad name servers."

That may help users, but what about companies and groups that don't want their site addresses hijacked in the first place? Prince said, "There is one sensible measure that domains at risk should all put in place immediately. It is possible to put what is known as a registry lock in place for your domain. This prevents even the registrar from making changes to the registry automatically."

Domain registrars don't like to do this. They would prefer to make it easy for you to update, change, and renew your site without involving any time-consuming manual steps. "However," said Prince, "if you have a domain that may be at risk, you should insist that your registrar put a registry lock in place. It's worth noting that while some of Twitter's utility domains were redirected, Twitter.com was not — and Twitter.com has a registry lock in place."

Not sure if you do? Run a whois query against your domain. If it includes the following three status lines: serverDeleteProhibited, serverTransferProhibited, and serverUpdateProhibited, then you have a registry lock in place.

If you have reason to believe that your site may be at risk, call up your domain registrar and insist on getting your domain name locked down. If you don't, you're in danger of, at the very least, having your site down for a few hours, or, at the most, having your online reputation ruined and your customers buried in malware.

Related stories:

Editorial standards