The New York Times’ website went down midafternoon Tuesday, marking the second time in August the Grey Lady has gone dark. While the company blamed the first outage on an “internal issue,” a company VP tweeted Tuesday that an “initial assessment” concluded the new outage, which was still plaguing the site as of Tuesday evening, was due to a “malicious external attack.” It didn’t take long for Twitter users to come to a consensus that the most likely culprit was the Syrian Electronic Army, or SEA, and soon enough the SEA claimed credit. But as more details emerge about the attack, it appears the SEA may be using more-sophisticated methods to wreak havoc online than was previously believed.
The SEA is a group of Internet users and computer hackers aligned with Syrian President Bashar Assad. They spend their time spreading pro-Assad propaganda on social media and targeting media outlets they consider enemies of the Syrian regime. It’s not clear if they operate from within Syria’s borders or from elsewhere. The SEA has taken credit for previous attacks against Twitter accounts of Thomson Reuters and several prominent journalists. Earlier this month, it successfully targeted Outbrain, a content-recommendation service used by the Washington Post, USA Today, CNN and TIME, among others. That attack allowed the SEA to temporarily disrupt the Washington Post’s website.
In the past, the group has most often used two methods of attack. First, it can gain access to media outlets’ back-end systems or social-media accounts through so-called phishing attacks, wherein an unsuspecting employee at an outlet or digital-service provider clicks a seemingly innocuous link in an e-mail or tweet that opens a door through which the SEA can enter. Second, it uses Distributed Denial of Service (DDoS) attacks, which involve pointing a great deal of bogus Web traffic at a particular server in hopes of knocking it off-line. Neither method of attack is hard to execute, and both are also utilized by the more well-known hacker group Anonymous.
Despite the group’s claims of credit, it’s possible that the SEA was just boasting about its role in the Times’ outage. But it’s looking increasingly like they were in fact behind the attack — and its method of attack looks more complicated than what it’s done in the past. The SEA stated that it manipulated the Times’ website’s Domain Name System (DNS) records. DNS is best thought of as a phone book for the Internet. When you type “nytimes.com” in your Internet browser, your computer checks those letters against a DNS server, which returns an Internet Protocol (IP) address, like 188.8.131.52. Your computer then connects you (hopefully) with what you understand to be the Times’ website. Domain registration is managed by third-party companies, one of which may have been the hackers’ target. Messing with the Times’ DNS registration would make the site much harder to access, but it wouldn’t allow hackers to change any content. (Update: The Times has reported that its domain-name registrar, Melbourne IT, was indeed attacked.)
As proof of its claims, the SEA linked to a domain-name-lookup service that showed www.nytimes.com’s domain registration had been compromised. Other services showed the Times’ registration as normal, casting doubt on the SEA’s statements. However, the Times later quoted its own chief information officer as saying that the attack was conducted by “the Syrian Electronic Army or someone trying very hard to be them.” There’s also a clear motive: for pro-Assad hackers, going after a Western news website that’s reporting on Syria’s alleged chemical-weapons use makes sense. (The SEA also took credit for attacks on Twitter’s name servers as some users were reporting technical issues with the platform. Twitter later said, “DNS records for various organizations were modified.”)
If the SEA did indeed attack the Times and other websites at the domain registration level, it would have likely required exploiting a flaw in the DNS. That would represent a major step-up in its hacking game: the DNS is known to have vulnerabilities, but exploiting those vulnerabilities is much harder than conducting a phishing attack or engaging in a DDoS attack. Considering the Times chief information officer’s statement, it would seem the SEA has become more of an online threat than once believed.
Update: A Melbourne IT spokesperson told TIME via e-mail that “an account that held multiple domain names was accessed on Melbourne IT’s systems using a valid username and password for that account” and “the DNS records of several domain names on that account were changed.” The company is working to identify who changed the records.