The intrusion, known as a Domain Name System attack, proved highly effective, limiting access to the Times’ news pages on the Internet for nearly 48 hours. Wednesday night, some readers still could not access the site.
Some users of Twitter, which was also attacked, continued to report problems seeing images, such as profile pictures, on the site Wednesday.
The cyberattacks were among the more sophisticated in a recent series of assaults on high-profile Western media organizations, including The Washington Post and the Associated Press. The Syrian Electronic Army has used these intrusions to broadcast its support of Syrian President Bashar al-Assad, although the group has never been found to have any official ties to his regime.
In targeting the Times, the hackers located a key vulnerability of the Web.
Nearly all servers that publish content to the Internet are identified by a numeric address. For example, the Times’ Web server is located at the address 188.8.131.52.
But remembering all those numbers is inconvenient. So in the 1980s, people developed the Domain Name System (DNS). It acts as a directory system, automatically translating domain names into more familiar words. DNS is why you can type “www.washingtonpost.com” into your browser to reach The Washington Post’s Web site instead of having to use its numerical address, 184.108.40.206.
Firm’s records accessed
The attackers were able to disrupt the Web site by accessing the records of an Australian firm, Melbourne IT, which registers domain names, such as nytimes.com, and stores the directory records for those Web sites.
The hackers then altered the information on these records, which allowed them to prevent users from seeing the Times’ Web site. In some cases, users were also redirected to a page that had the Syrian Electronic Army’s logo.
Times spokeswoman Eileen Murphy confirmed that the attack on the newspaper’s Web site was the result of a “external attack on our domain name registrar.” In a statement to The Washington Post, Melbourne IT said that hackers were able to gain access to the Web pages by obtaining log-in credentials to a third-party company responsible for maintaining the records of Web sites.
Hackers, in the past, have obtained user names and passwords by “phishing,” or sending legitimate-looking e-mails that ask people to enter their log-in credentials. That appears to have happened in this case, according to Melbourne IT. While the company said that it has corrected the records and taken steps to prevent similar attacks in the future, it can take some time for the changes to take effect.
Sean Sullivan, a security adviser at F-Secure, which provides Web security, said hackers may be able to use DNS attacks to redirect users logging into something like a banking Web site to a false version of the company’s log-in screen and trick people into handing over their log-in and password information.
But, Sullivan noted, this might not be effective for large-scale attacks, and hackers would not be able to duplicate the appearance of a secure connection — the “https” that graces the front of nearly every Web address for a financial institution, and lets people know the site they’re on is secure.
Timo Hirvonen, a security analyst at F-Secure, said that anyone who gets sent to a fake page should get a notification by their browser that the site they’re visiting isn’t verified. Users, then, should pay close attention to make sure that they’re on an “https” site before entering sensitive information, he said.
But Kenneth Geers, a senior global threat researcher at the security firm FireEye, said DNS attacks are difficult to prevent. Web sites have a complex architecture that give hackers many openings.
The extended cyberattacks “must be maddening for the New York Times and Twitter,” he said.