No Proof Of Malware In New York Times DNS Hijacking Attack
Dropping malware isn’t the usual M.O. for The Syrian Electronic Army (SEA): the pro-Assad hacktivist group is best known for loudly spreading its message–or even fake news–via hijacked high-profile websites and Twitter accounts of media and other organizations, not amassing bots or infecting machines. So when some security experts yesterday reported that malware may have been embedded in the Web pages the attackers redirected The New York Times website to, it signalled a possible shift in strategy by the group.
There is still no official confirmation yet whether the pages were infected, but security researchers at OpenDNS and AlienVault Labs say they did not see malware on the pages SEA used to redirect New York Times website traffic. The New York Times, meanwhile, has not yet ruled it out: in an email response today asking whether the newspaper could confirm that malware was present or not, a spokesperson for The New York Times said: “At this point, we are still investigating.”
[The Syrian Electronic Army (SEA)’s hijacking of the Internet domains of The New York Times, two Twitter services, and The Huffington Post’s UK site initially set off alarm bells over a potential domain-name system (DNS) security meltdown, but it appears the methd and mission were much more simple and straightforward. See Syrian Electronic Army Strikes Again In ‘Modern-Day Defacement’.]
Matthew Prince, co-founder and CEO of CloudFlare, says there was some initial confusion yesterday as security experts worked via teleconference to investigate the attacks. The IP addresses used by SEA in the redirects were ones that were notorious for malware, which led to a misunderstanding that there was definitely malware on the pages. Prince and others on the call initially understood that OpenDNS had seen malware on the pages, which he clarified in an update late yesterday to his blog post detailing the genesis of the attacks.
It turned out that no one on the call had actually scanned for malware on the pages, so Prince says he updated his post to reflect the lack of malware evidence at this point. “There’d been malware on those IPs before, [but I’m] not sure whether there was at the time,” Prince says.
As his updated post explains: “Technical teams from CloudFlare, OpenDNS and Google jumped on a conference call and discovered the site to which the NYTimes.com site was redirected was in internet space (the IP addresses) full of phishing and possible malware, although no malware distribution was witnessed. (Earlier, this read: “…discovered what appeared to be malware on the site to which the NYTimes.com site was redirected.” The confusion was that the IP range contained malware and phishing according to scans run by OpenDNS. I misinterpreted that to mean that there was malware on the site itself.).”
Now that the dust has settled, security experts are more skeptical that the SEA used malware in the attacks.
“It seems like serving malware would be counter to their message,” says HD Moore, chief research officer at Rapid7 and creator of Metasploit. Moore says he had heard malware was present and he had seen a screenshot of the page, but had no evidence or logs to confirm it was serving up malware.
Adam Meyers, director of intelligence with CrowdStrike, says he has yet to see any evidence of malware. “I have yet to see a single hash or even a copy of the malware, so I’m unable to verify it,” he says. Delivering malware would have been uncharacteristic of the SEA, he says, which is better know for its defacements, pro-Assad messaging, and “rabble-rousing” such as when it recently hacked the AP’s Twitter account and posted a phony tweet that the White House had been bombed.
Another researcher, Paul Ferguson, doesn’t believe that the redirected NYT pages were infected with malware. “It could have been a lot worse if that had been the case … we’ve seen that happen before in domain hijackings,” says Ferguson, who is vice president of threat intelligence for Internet Identity.
The SEA sent a spearphishing email that duped a U.S. reseller of domain registrar Melbourne IT, which hosts The New York Times and many other high-profile domains, and gained the hacktivist group credentials to alter the newspaper’s DNS records and redirect traffic to their own servers for several hours Tuesday evening.
Meanwhile, Melbourne IT today responded to a press inquiry for more details on the attack. “Staff of an overseas-based reseller unwittingly responded to a spear phishing attack which allowed attackers to access sensitive information, including usernames and passwords, which was used to access the reseller’s account on Melbourne IT systems. This resulted in unauthorized changes to the DNS records of two domain names associated with providing news related to the Syrian conflict,” a spokesperson said in a email statement.
Bruce Tonkin, chief strategy officer for Melbourne IT, said in an email response today that the attackers logged into a reseller account at Melbourne IT to change the DNS name server records of nytimes.com and twimg.com, Twitter’s image domain. The attacker also obtained credentials that allowed him or her to log into the reseller account directly via the .co.uk registry, leading to the huffingtonpost.co.uk and twitter.co.uk DNS record compromises, Tonkin says. “We didn’t have a record of this on our systems, but the .co.uk registry was able to confirm the changes were made at the registry. Reseller staff did use our systems to restore the names at the .co.uk registry.”
Have a comment on this story? Please click “Add Your Comment” below. If you’d like to contact Dark Reading’s editors directly, send us a message.