The New York Times came back online after a hack of Internet registrar MelbourneIT allowed the Syrian Electronic Army to compromise the newspaper's website.
The site was still experiencing intermittent connection issues, though. For those unable to access NYTimes.com, the paper is also publishing stories on news.nytco.com.
In a blog post explaining the hack, Matthew Prince, CEO of security firm CloudFlare, categorised it as a "very spooky attack" since "MelbourneIT is known for having higher security than most registrars."
In a note to customers posted on the CloudFlare blog, MelbourneIT said the username and password of a company reseller was accessed and used to change the DNS records of several domain names. MelbourneIT's blog is currently offline, after reportedly being hacked by the SEA, the group said on its Twitter feed.
As CloudFlare explained, website owners purchase and manage domains through organisations known as registrars like MelbourneIT, which also handles Twitter and The Huffington Post.
"When you visit NYTimes.com your browser looks up the domain against the Internet's DNS network. The first step in that request is a query to a recursive DNS provider," Prince wrote.
"Recursive DNS providers follow the DNS chain, starting at the root, then the TLD registry, then ultimately to whatever is listed as the authoritative name server for the domain," he continued. "In order to lighten the load upstream, recursive DNS providers cache results for a limited period of time known as a TTL. Compromising any step in the DNS chain would allow an attacker to take over some or all traffic destined for a site. That's exactly what happened today."
Technical teams from CloudFlare, OpenDNS and Google, meanwhile, found malware on the site to which the NYTimes.com site was redirected. In searching for other domains that had been altered by the SEA, the team found updates to records for Twitter and the Huffington Post. "These organizations also used MelbourneIT, suggesting that the compromise was more than just the NYT's account," Prince said.
Prince said CloudFlare does not yet have details about exactly how the hack was accomplished. For the most part, the SEA has focused on phishing schemes - sending emails with links that redirect to sites that request log-in information for familiar sites like Gmail. The sites are dummy sites, however, and people are simply handing over their email usernames and passwords to the SEA.
The organisation has used this information to hack into email accounts, find log-in information for things like Twitter accounts, and deface those accounts. It's unclear if a similar tactic was used here; the SEA has not elaborated on its methods.
Twitter.com remained online during the attack, though the UK version remained inaccessible for a time. Some users had trouble loading images, however, a problem that seems to have persisted. The SEA tweeted that it "placed twitter in darkness as a sign of respect for all the dead #Syria-ns due to the lies tweeted it."
The Syrian Electronic Army emerged in September. The hackers reportedly started attacking Western websites in retaliation for Innocence of Muslims, an anti-Islamic video that resulted in violent demonstrations in the Middle East. They have since been targeting news sites they believe are reporting news hostile to the Syrian government, including the Financial Times, The Guardian, the BBC, Reuters and even The Onion. Chat apps like Tango and Viber were also attacked.
Image credit: Flickr (Bernard Bujold-)