Twitter attacked by 'Iranian Cyber Army'

By Rosalie Marshall on Dec 21, 2009 10:40AM

In the spotlight

Announcing Pipeline 2025 tickets, theme & initial speakers

Australian MSP Index launched

End of Support for Windows 10: A guide for Channel Partners

Ingram Micro Ushers in the Age of Ultra

Twitter was hacked and defaced early this morning by a group calling itself the Iranian Cyber Army.

The Domain Name System hijack occurred at 6am GMT and locked users out of their accounts for more than two hours.

The message left by the hackers on the micro-blogging site appears to be from an Iranian group that is against US interference in the country's politics. The group also claims to support the party of Mir-Hossein Mousavi, which has challenged president Mahmoud Ahmadinejad's power and protested against his election in June.

The same hacking group has also attacked another web site, Mowjcamp.org, which has been supportive of the protests.

The background to the message is in black and red with a green flag, the colours connected to Mousavi.

Part of the message, which we quote verbatim, reads: "U.S.A. think they controlling and managing internet by their access, but they don't, we control and manage internet by our power, so do not try to stimulation Iranian peoples."

The US government interfered in Iran's politics using Twitter during the uprising by Mousavi supporters. At the time of the protests, the micro-blogging site was scheduled for maintenance and would have been inaccessible to all users. But the US intervened to ensure that protesters in Tehran could have their voices heard.

Twitter has responded to the hack and said that the site is now running normally.

"Twitter's DNS records were temporarily compromised tonight but have now been fixed. As some noticed, Twitter.com was redirected for a while but API and platform applications were working. We will update with more information and details once we've investigated more fully," said Twitter co-founder founder Biz Stone in a blog post.

Graham Cluley, senior technology consultant at security firm Sophos, said that there is no indication that the affected pages are carrying malicious code, and that the attack appears to be political rather than to steal confidential information from users.

Cluley explained that his biggest concern is how the hackers managed to change the DNS for Twitter.

"DNS records work like a telephone book, converting human-readable web site names like twitter.com into a sequence of numbers understandable by the internet," he said.

"What seems to have happened is that someone changed the lookup, so when you entered twitter.com into your browser you were instead taken to a web site that wasn't under Twitter's control. Just imagine if they had pointed people to a phishing site posing as Twitter.

"Could it be that cyber criminals managed to guess the passwords used to secure access to the information, and log in as though they were the administrators of Twitter's DNS records?"

Rik Ferguson, senior security advisor at internet security firm Trend Micro, added: "This attack is called pharming and mostly happens as a result of local malware modifying individual PCs, not through the compromise of global DNS records, but the potential is demonstrably there.

"Companies should be monitoring their DNS resolution on several servers to become aware as early as possible when this kind of attack takes place."