Incident Response, Malware, TDR, Threat Management, Vulnerability Management

Hacker group takes responsiblity for DNS attack on major media sites

"Media is going down..."

That's what the Syrian Electronic Army (SEA) tweeted Tuesday, as the pro-Assad hacker collective announced domains belonging to The New York Times, Huffington Post U.K., and Twitter were compromised. It appears the hackers were able to change registry information and modify the DNS records for the companies, according to Whois records (screenshot below).

Security researchers studying the attack believe it was directed at Melbourne IT, an Australian web and email hosting company that provides services for the media sites, in addition to other big-name companies such as Microsoft and Yahoo.

HD Moore, chief research officer at vulnerability management company Rapid7 and chief architect of the Metasploit framework, told SCMagazine on Tuesday that Melbourne IT is the "one common factor" that ties all of these sites together.

There are a couple of ways the attackers could have compromised Melbourne IT's servers to pull off the DNS hacks, Moore said. But it's most likely they registered their own domain with the registrar and "found a way to reset passwords or jump over and take over other accounts," he said.

The ability to redirect the domains to any site of their choosing is just one of the things Moore said an attacker could do with these kinds of privileges, so he recommended that people "don't use [Melbourne IT] sites for a couple of hours" and await direction from officials as more information becomes available.

Christina Thiry, a spokeswoman at Twitter, emailed SCMagazine.com on Tuesday and said that the company was investigating the incident.

The company now is confirming the incident was malicious in nature, according to a statement posted online.

A New York Times spokesperson did not immediately respond to SCMagazine.com for comment, but a story posted on the Times website indicates that Melbourne IT has been affected and acknowledges that SEA is taking responsibility for the attack.

Melbourne IT is an Australia-based domain name registrar that also offers a host of services, including website design, hosting, email, cloud computing and online marketing, according to its website. Founded in 1996, the company has six locations throughout Australia, New Zealand and the U.S. and earned more than $170 million in revenue last year. Melbourne IT's customer base consists of more than 400,000 clients.

Representatives at Melbourne IT and Huffington Post U.K. did not immediately respond to SCMagazine.com for comment.

Everything started coming to a head some point after 4 p.m. EST, when users who visited the Times site saw a message that read, "Hacked by SEA." The website seemed to be back up before long, but has been experiencing sporadic downtime.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.