The Syrian Electronic Army — widely suspected of being comprised of pro-Syrian government hacktivists — on Tuesday hijacked The New York Times’ website and briefly took over Twitter’s domain name system servers.
The SEA’s main motive is to gain visibility for its cause, said Jaeson Schultz, a Cisco threat research engineer.
“They have claimed on their website that the portrayal of events in Syria, especially by Western media, is inaccurate,” Schultz told TechNewsWorld.
The SEA on Wednesday tweeted that its website and domain had been taken down.
It could be that the SEA is trying to intimidate the NYT into changing how it covers the Syrian civil war, or “The New York Times was a convenient target of protest against the U.S. as a whole,” speculated Randy Abrams, a research director at NSS Labs.
“The other compelling angle is that it is strongly positive publicity in terms of garnering support from, and assuming a position of perceived authority among, those who are enemies of the U.S.,” Abrams told TechNewsWorld.
An antiwar message put up on Pastebin, allegedly by the SEA, states that for the last three years, “we have faced a fierce proxy war led by the gulf oil sheikhdoms and their masters in the white house.”
It dismisses as lies U.S. claims that Syrian President Assad’s regime used chemical weapons, and hints that the conflict might spread to the world at large.
How the Hack Occurred
Melbourne IT, The New York Times’ domain registrar, said the hackers got into its systems by spearphishing — sending specially crafted emails — some employees at one of its U.S.-based domain agents, or resellers.
The employees provided their email log-in details and things went downhill from there.
“Typically, the SEA uses spearphishing attacks to gain access to email in-boxes of their targets,” Cisco’s Schultz said.
The attack on Twitter essentially failed because that company had paid extra for a secondary security feature offered by Melbourne IT, AP reported. The NYT did not subscribe to that feature, which would have protected it, Melbourne IT Chief Technology Officer Bruce Tonkin reportedly said.
The attacks apparently were first discovered by security researcher Nick Semenkovich, whose Twitter account carries a chronology of the attacks as they occurred in near real time.
Open Doors Lead to Security Flaws
This is the latest attack on the media by the group, which emerged during the first uprisings in Syria in 2011.
The Guardian, the Associated Press news service and the Financial Times, whose site was hacked in May, are among the recent victims.
The media is a relatively easy target because its goal “is to disseminate information, not contain it,” NSS Labs’ Abrams pointed out. “The [media’s] investment in digital security is probably far lower than in companies that stand to lose intellectual property or secrecy.”
Further, media organizations exist in a fast-paced 24/7 news cycle world, and their employees are not experts in computer security, Cisco’s Schultz remarked. “This creates a perfect setting for miscreants who use spearphishing to steal credentials and other information.”
However, spearphishing is effective against other targets too. Thirty-three percent of Fortune 500 executives fall for phishing attacks, according to Wombat Security Technologies.
The Wolf at the Door
“Everyone is a target,” Alex Barsamian, lead developer at FlowTraq, told TechNewsWorld. “No industry is immune to becoming a target to hacker groups like SEA.”
There is no technological fix behind what happened, nor is there a real failure as such, Barsamian contended.
“In this instance, the failure was on the part of the phisher’s marks,” he continued. “What’s unsettling is that someone with the keys to such a big kingdom was apparently tricked by the emails in the first place.”
The takeaway appears to be that organizations need to train staff about the social engineering threat and take a holistic view of IT security. They should also pay heed to their security professionals’ suggestions and use penetration testing as a proactive measure.