Melbourne IT, an Australian firm that allows website owners to buy addresses such as latimes.com, said the downtime suffered by the New York Times website Tuesday began when hackers gained access to the user name and password of one of the company's sales partners.
Using those reseller's credentials, hackers changed the records that tell computers around the world from where to download web pages when someone types NYTimes.com into an Internet browser.
[Updated, 8:27 a.m. Aug. 28: The U.S.-based sales partner’s credentials ended up in the hackers’ hands after a targeted phishing attack was directed at the firm’s staff, Melbourne IT Chief Technology Officer Bruce Tonkin said early Wednesday. Essentially, several people at the U.S. firm were duped by emails that coaxed them into giving up log-in credentials.
“We have obtained a copy of the phishing email and have notified the recipients of the phishing email to update their passwords,” Tonkin said in an email. “We have also temporarily suspended access to affected user accounts until passwords have been changed.”]
Late Tuesday, Melbourne IT spokesman Tony Smith said said the company was reviewing how to improve security.
"We are currently reviewing our logs to see if we can obtain information on the identity of the party that has used the reseller credentials, and we will share this information with the reseller and any relevant law enforcement bodies," he added.
Smith recommended that "for mission critical (domain) names," domain-name owners use additional security features available from domain name registries that cost money but limit changes that can be made without extra authorization.
"Some of the domain names targeted on the reseller account had these lock features active and were thus not affected," Smith said.
The hacking group also appeared to have tried to redirect visitors of some Twitter services and Huffington Post U.K., but they didn't suffer easily visible outages.
Marc Frons, chief information officer for the New York Times Co., told the newspaper that he attributed the breach to “the Syrian Electronic Army or someone trying very hard to be them.” He warned company employees to refrain from sending sensitive email messages because the records changes made by the hackers could have allowed them to hijack emails.
The Syrian group did not immediately offer a reason for Tuesday’s attack, but it came as the White House debated how to respond to clear indications that the Syrian government launched a chemical attack on its civilians. Cybersecurity analysts said the incident highlighted the fact that every war will now have an online component.
"Website defacements ... are more about image and propaganda than anything else, but the ubiquity of the World Wide Web and the amplification power of computer networks guarantee that information operations are more important than ever," said Kenneth Geers, senior global threat analyst for the cybersecurity firm FireEye. He called the attack "a propaganda coup" for the Syrian Electronic Army that at least brought the hacking group free advertising.
Hackers have long defaced popular websites to direct attention to issues they consider important, but the number and intensity of the attacks continue to grow. The websites of the Washington Post, Financial Times, CNN and Time magazine have also been affected in recent months.
The NYTimes.com website was down for more than six hours. In the meantime, visitors saw either error messages or web pages created by the Syrian Electronic Army. The New York Times was able to get the redirection blocked by working with other Internet service providers. The company that hosts the website of the Syrian Electronic Army, for example, suspended the account.
Experts say these kind of disruptions are expected to continue.
“As long as media organizations play a critical role as influencers and critics, they will continue to be targets of cyber-attacks,” said Michael Fey, chief technology officer for computer security giant McAfee.
As news organizations have improved their own computer security, hackers have looked for weak spots at outside services the companies use.
Security analysts said other hackers, driven primarily by a desire to make money, may have used the sort of power they held while inside Melbourne IT's systems to send visitors to websites laden with computer viruses.
"It's what they could have done that really scares me," said HD Moore, chief research officer for cybersecurity firm Rapid7.
The New York Times suffered an hourlong outage earlier this month but attributed it to “technical difficulties” during a routine morning maintenance operation.