As has been widely publicized, yesterday, August 27, a group claiming to be the Syrian Electronic Army (SEA) hacked into the MelbourneIT registrar and gained access to the registrar account of some very important clients including Twitter and the New York Times. DomainTools got some free publicity out of that as the initial announcement by the perpetrators used a DomainTools Whois record screenshot as evidence of the compromise. People (including many journalists) have been asking us what we know about the incident and, specifically, if the SEA did indeed get control of those domains. So we wanted to clear a few things up.
As is clear now, MelbourneIT was hacked and they have admitted as such. The whois records for several very well known media sites were altered, and repaired, intra-day yesterday. Changing whois records indicates SEA gained some level of access at the registrar, but it doesn’t necessarily mean an intruder can execute more nefarious activity such as transferring the domain away or changing the nameservers. Indeed, a number of the domains had registry lock provisions that prevented nameserver changes. The bottom line is that the SEA had very real access to a number of valuable accounts at MelbourneIT, but the true risk depended on the levels of security implemented by the account holder at both the registrar and registry level. It appears from the limited overall damage that the intent of this cyberattack was more for publicity than anything else. Based on the significant media coverage of this event, it was quite successful at that.
DomainTools itself was not hacked. Our whois service simply shows the exact whois record as returned by the registrar (or registry) at the time requested. So those DomainTools whois records pictured in SEA’s tweet were the whois records at MelbourneIT and Versign at the time. Users of our Whois History product will note that the stored records from yesterday appear accurate, not hacked. This is because DomainTools’ Whois History data shows a maximum of one record per day (the last requested record), and the whois records of these domains were fixed intra-day yesterday.
We do, however, have records of the intra-day changes in our database. They show that the whois records were indeed changed at one point yesterday afternoon to show the Tech Admin as SEA, in accordance with the picture in SEA’s tweet. We also have hacked records of twimg.com and a number of other affected domains.
Switching gears a bit, it’s interesting to think about the investigation of who is behind these attacks. This particular situation provides an interesting use-case for dealing with whois privacy. An initial whois lookup of the domain sea.sy will show an incomplete record, likely a result of poor registry policy enforcement in the Syrian TLD. Using our Whois History product, we see the domain has largely useless whois data since inception. However, here are some interesting facts we surfaced:
- Whois History shows the domain sea.sy has only existed since April 29th of this year.
- ReverseIP shows the IP address of that domain is associated with 2 other domains: syrianelectonicarmy.com and qatar-leaks.com.
- IP Whois shows that IP address is hosted in Russia, not Syria.
- Hosting History shows the original nameserver of sea.sy, ns1.scs-net.org, is different than the one today, ns1.syrianelectronicarmy.com. But scs-net.org is not under whois privacy protection.
Research like this can often be useful to surface interesting leads. If one were to follow this trail, it would surface names, email addresses and other signals. Most types of cyber attacks leave a trail of network information evidence. By this we mean domain name and IP address whois data and data which associates domain names, IP addresses and nameservers to each other and to individual people and organizations. With this in mind, DomainTools has worked very hard to create the largest and most accurate database of DNS data available anywhere.
It remains our hope that ICANN sees fit to not only enforce whois accuracy, but keep the data in the public domain (no pun intended!) These events over the past 24 hours are yet another example of not only why registrar and registry security continues to be critically important, but also why whois and DNS data has real value and can provide powerful insight for security researchers and threat investigators.