A hacking attack launched by the Syrian Electronic Army may have targeted the New York Times and other U.S. media companies, but the weak link was Melbourne IT (MLB:AU), a domain registrar that directs Internet traffic to the companies’ servers. How can an assault on obscure Australian Web-services provider lead to a more than 20-hour disruption at the Times’ website?
Melbourne IT and other companies like it occupy a central space in the day-to-day workings of the Internet. When a person or company buys a domain name—something catchy, like nytimes.com—that human-friendly designation is assigned an IP address, which serves as the real hosting location website. For the New York Times, that IP address looks like this: http://126.96.36.199 (Click the numerical link, and you’ll find the Times’ website alive and well.)
Registrars such as Melbourne IT help direct the traffic from people typing in the URLs, saving us the trouble of remembering those clunky IP numbers. According to CloudFlare, a security firm working with the Times that posted a detailed description of Tuesday’s attack, Melbourne, which has a reputation for better-than-average security, is the sixth-largest domain registrar in the world with about 2.5 million registered domains. (GoDaddy is the dominant player among registrars—its 25 million domains give it a 31 percent market share). Melbourne IT hasn’t responded to a request for comment.
The attackers infiltrated Melbourne IT’s systems and changed the server location linked to nytimes.com, “effectively hijacking the site,” as CloudFlare explained. For a short period, some people trying to read the latest news found themselves instead on another website containing malware. CloudFlare worked with the registrar maintaining the name server used by the attackers to shut it down—a move that kept people from ending up on an infected site but didn’t fix the primary problem knocking out the Times. Since Tuesday evening, the newspaper has been directing readers to news.nytco.com, a version of its mobile site.
The Syrian Electronic Army also claimed credit for similar attacks on Melbourne IT clients Twitter and the Huffington Post, also through the registrar’s own system. But those sites stayed largely functional. A server on which Twitter keeps images was taken down, but the company’s main website stayed up. According to CloudFlare, Twitter fared better because it had a registry lock in place, preventing Melbourne IT from making automatic changes to its registration. It’s not completely clear how the attacks breached Melbourne IT’s system. As CloudFlare explained:
“An e-mail that MelbourneIT just sent to all its customers appears to indicate that the hackers somehow used a reseller account as part of the hack. While we are only speculating at this point, it’s possible that there was a security vulnerability in the reseller interface that allowed a privilege escalation to take over control of other MelbourneIT customers.”
The attack is a fresh reminder of how much all companies that rely on websites are vulnerable to the failings of other companies. “You have a huge supply chain here,” said Kenneth Geers, a researcher with FireEye, a security company. “If an attack does their homework, then they can find the weak link in the chain and go after someone directly.”
Even before it became the center of one of the more spectacular hacking attacks in recent memory, Melbourne IT was having an eventful day. Hours before the attack began, its chief executive said he was stepping down. And almost 24 hours after the Times first went down, a small taunt still remains on a page on Melbourne IT’s own website, which now appears as a plain white page with a small message: “Hacked by SEA, Your servers security is very weak.”