Fully updated: 12/18/09
At some time around 10pm on Thursday, users going to Twitter.com were served the page below with a banner reading “This site has been hacked by the Iranian Cyber Army”. Also, mowjcamp.org, a site for supporters of Mir-Hossein Mousavi Khameneh a candidate who ran against Mahmoud Ahmadinejad in the 2009 Iranian presidential election, has been serving a similar defacement since at least December 16th and continues to do so. The motive appears to be activism in support of Iran’s current Islamic regime. The attack vector was a bad actor using an id and password assigned to Twitter to log in to the administrative portal of managed DNS service provider Dyn.
Twitter actually had a prominent role in protests following the disputed Iranian presidential elections, and was a key source for Iranian citizens to both receive and disseminate information during the country’s widespread protests. The targeting of both the opposition candidate and the Twitter platform is then somewhat suspect as being related to the time period following the election. Such digital attacks for political purposes are sometimes referred to as hacktivism, usually defined as “the nonviolent use of illegal or legally ambiguous digital tools in pursuit of political ends”.
The site description in Google which temporarily indexed Twitter with the defacement seems to confirm this motive. The text reads: “In the name of God, As an Iranian this is a reaction to Twitter’s interference sly which was U.S. authorities ordered in the internal affairs of my country…”.
The page contains an e-mail address, I guess the “Iranian Cyber Army” is accepting feedback, an image of a flag with Arabic words, and an English message at the bottom as follows:
U.S.A. Think They Controlling And Managing Internet By Their Access, But THey Don’t, We Control And Manage Internet By Our Power, So Do Not Try To Stimulation Iranian Peoples To…. NOW WHICH COUNTRY IN EMBARGO LIST? IRAN? USA? WE PUSH THEM IN EMBARGO LIST ;) Take Care.
We think its nice they asked us to take care.
Twitter uses a hosted managed DNS service by Dyn, Inc, a New Hampshire firm, for their domain names. According to WHO.IS, they have been using this service since February of 2009. Dyn’s Chief Technology Officer, Tom Daly, has stated that someone using a “set of valid Twitter credentials” made the DNS changes that affected twitter.
So they would have logged in here:
Then they would have been presented a page like this (here’s ours as an example, all public information), and could modify where the domain name points:
- “It was not a failing on our systems whatsoever.”
- Tom Daly, Dyn CTO
- “”This was not an unauthorized breach of our system.”
- On Twitter’s explanation “It will fully exonerate us, that’s one thing I can say,”
- On whether Twitter’s credentials were stolen by hackers: “You’ll have to read between the lines,”
- Kyle York, Dyn VP of Marketing
Well those are examples of a combination of a strong statement alongside playing semantics. Dyn hosts DNS for a number of major web properties such as Arcsight, Zappos, Subway, British Telecom and others. While many other managed DNS services do the same thing, requiring only a web form with id and password authentication is probably not a good way to protect DNS records.
As an example of where to go from here, the online video game World of Warcraft has $6.50 physical one time password (OTP) tokens to authenticate in order to play:
Many of you log into your corporate virtual private networks with similar OTP tokens, issued by firms such as RSA.
So your company protects its internal network with dual factor authentication. Many web sites and web services such as World of Warcraft or eTrade protect the individual user with the same. Why doesn’t Twitter require their managed DNS provider to protect the primary product of their $1 billion dollar valuation company with the same.
We’ve also asked Dyn twice for the geoip of the attacker that used Twitter credentials to update the DNS entry without response.
How did they get Twitter’s Login for the Site?
I don’t know, and there’s been a lot of speculation. But looking for evidence of something that has changed? DynStatus reports on Friday that “due to increased security concerns…we have disabled access to our e-mail based password reset system, to prevent compromise of customer login credentials via e-mail systems.
So potentially something happened where the password reset function was subverted, either by someone having access to the e-mail account at Twitter that password reset e-mails are sent to, or a subversion of the password reset functionality on the web site.
Was e-mail access absolutely required to subvert a password reset? Of course not, as an example the site has some of the source HTML usually associated with sites built with the Drupal CMS, which has had past issues with attacks on its password reset function: drupal-passwdxss.txt. We’re not saying that’s what this is, but we are replying that until Twitter comes forward, no one knows that a Twitter staff e-mail account has been compromised.
What’s the Flag Say?
Relying on the translations of others (we don’t speak Arabic or Farsi) the flag contains a message of “Hezbollah is victorious” at the top, referring to the paramilitary organization in Lebanon supported by Iran which in 2006 engaged in a 34 day military conflict with Israel.
The next word is the name of the third Shi’i Imam, Imam Husayn. Finally at the bottom there is a poem that reads: “We shall strike if the leader orders, we shall lose our heads if the leader wishes.”
Based on the material displayed, there is speculation that the cracker(s) is part of a Shiite group.
Twitter.com Serving the Page from the Wrong IP
At some point during last night’s defacement people started noting that the content being served for the domain twitter.com was being served by IP address: 184.108.40.206. This IP address is tied to Bluehost and according to GeoIP is a web server in Provo, Utah. The IP is still hosting a similar defacement page at the time of writing at: http://220.127.116.11/~twitter9/index.htm.
This version has a few sentences in Farsi at the bottom as opposed to the English message, Google translates this as:
Name of God As an Iranian response to this intervention sly server command in the internal affairs of my country and American authorities) This site is a warning Hk
If any native speakers who can read this want to help us with the translation, the comments are open below.
The Attack – Theories from Last Night Worth Explaining
DNS Cache Poisoning?
Twitter’s Biz Stone put out an update on their blog indicating that Twitter’s DNS records “were temporarily compromised”. That led to speculation that the culprit was DNS Cache Poisoning. An explanation of DNS Cache Poisoning could easily make its own blog post, so we’ll keep it brief here.
Essentially a domain name server translates a domain name (www.google.com) into an IP address used to find the resource requested which is hosted on the Internet. Usually name servers rely on data served from authoritative Domain Name System, basically a hierarchy of who listens to who. When a bad actor (or possibly an unintended mistake) is able to provide bad data to a caching name server, that name server is considered poisoned. That data is cached for future requests, but now may contain a record that diverts a domain name (www.google.com) to an IP address not owned by Google but rather by the bad actor.
A cache is a duplicate copy of original data stored elsewhere, kept to speed up duplicate requests for the same resource. Confused? There is a decent video below explaining an attack scenario where the DNS server receives a look up request from a bad actor who then floods the DNS server with bad name resolution data. The bad resolution of the domain is saved in cache, and future users are sent to the wrong IP address. For example, it may send requests for twitter.com to an IP address in Utah serving up Iranian political propaganda.
Basic Explanation of DNS Cache Poisoning
Check Point put out a video last year that gives what is a very high level explanation of what happens in a DNS Cache Poisoning attack. If you’re not familiar with this type of attack, it might be useful:
Another site suggested the problem might be DNS Hijacking. A DNS server essentially is used to translate domain names to IP addresses, basically because domain names are easier to remember when accessing Internet connected resources. While most users depend on DNS servers hosted by their ISP and in turn downstream providers, it is possible for a bad actor to host a rogue DNS server, point the domains of legitimate web sites to IP addresses hosting a bogus web site for example, and attempt via malicious code on the PC to change the user’s DNS server assignment. When a bad actor attempts to redirect users from a legitimate web site to a bogus one, its usually referred to as pharming.
Recall we mentioned earlier that Twitter is the second site we’re aware of to be defaced in the same way. The site mowjcamp.org, a political rally web site supporting former Iranian opposition candidate Mir-Hossein Mousavi Khameneh, is actively at time of writing serving a defacement page similar to the one that was on Twitter with this IP address: 18.104.22.168. This IP is also associated with ISP Bluehost, and GeoIP also points back to Provo, Utah for its location.
The first screenshot is what mowjcamp.org is supposed to look like, and can be viewed directly at the IP address: http://22.214.171.124.
So as we mentioned earlier Twitter had this to say last night:
12/17/09 11:43 PM As we tweeted a bit ago, Twitter's DNS records were temporarily compromised tonight but have now been fixed. As some noticed, Twitter.com was redirected for a while but API and platform applications were working. We will update with more information and details once we've investigated more fully.
And then today posted this update:
12/18/09 1:33 PM Update on Last Night's DNS Disruption Domain Name System or DNS is an Internet protocol used to translate IP addresses into domain names so instead of typing in a long string of numbers we can enter urls like www.twitter.com into a browser to visit our favorite web sites. Last night, DNS settings for the Twitter web site were hijacked. From 9:46pm to 11pm PST, approximately 80% of Traffic to Twitter.com was redirected to other web sites. We tweeted, blogged, and updated our status page last night. During the attack, we were in direct contact with our DNS provider, Dynect. We worked closely to reset our DNS as quickly as possible. The motive for this attack appears to have been focused on defacing our site, not aimed at users—we don't believe any accounts were compromised. If you're concerned that your account could have been affected in some way, feel free to contact us, accountsafe [at] twitter.com.
As is always the case, the updates are short on meaningful information, providing a review of what we already read elsewhere, leaving out any indication of how the bad actor or actors got the login credentials for Dyn, and not providing any indication on what might be corrected to prevent this going forward.
Bluehost discovered that Twitter.com had been the victim of a DNS compromise and, further, that the attackers had redirected some of the Twitter traffic to an account hosted on Bluehost servers. This customer account on BlueHost was setup using a stolen identity and credit card, as determined by the Bluehost verification department. The Bluehost abuse department immediately terminated this account. Contact was made by Bluehost to law enforcement agents to assist in all ongoing investigations.
It is somewhat strange that their monitoring did not notice a web site that went from zero to millions of visits in minutes.
The coverage coming out of this incident is riotious:
Thursday night’s cyber attack against the Twitter microblogging service was no routine assault to bring down a website. It was a sophisticated online blitz –perhaps part of an online Iranian cybercampaign – that could prove costly for social media networks.
Ah yes, the blitzkrieg online cyberwar has begun. Let me get my hat. If by sophisticated you mean “is able to use a web site” and “knows how to use ‘whois’” then yes, a highly sophisticated assault.
The attack last night on Twitter was clear retribution for the role that the service played during the [post-Iran election] demonstrations, and the role that it continues to play today. We have spoken to a number of sources overnight who have told us that the Iranian Cyber Army, unlike other groups with similar national monikers, is a group name that is to be taken literally ie. it is an Iranian government group. Little is known about how the group operates, but previous attempts to shut off Iranian citizens from Twitter and other web services demonstrate that Iran has the capability and will to use almost any means to control the flow of information on the web both within and outside of its own borders.
Do these sources have names or credibility of any kind? Because while this could be a government sponsored group, it could be a pissed off Islamic kid, a group of guys who communicate in an Arabic hacking forum, or any number of things.
In a web war, Iran has demonstrated that almost nobody is immune, the battlefield is level and it is not afraid to fire the first big shots in full view of the entire world.
Are we in a web war with Iran? Because no one has one iota of proof yet that this is an Iranian government sponsored group. For reference, the battlefield is not level if we are in a war, the U.S. dependence on technology is far greater than that of Iran. If they’re ready to step up beyond logging in to an accessible web portal and changing a DNS entry at a managed DNS provider, they could really cause a lot of trouble.
With a large-scale attack on a popular global web service, it is the first time that cyber attacks have been used as part of a propaganda campaign to propel the global political agenda of a foreign government.
Really? I could have sworn I’ve seen web sites defaced for political propaganda purposes before.
Since these sites may be taken down at any point, if you want to do further research here is the HTML that was being returned from the defaced web site:
<html> <head> <meta http-equiv="Content-Language" content="en-us"> <meta http-equiv="Content-Type" content="text/html; charset=windows-1252"> <title>..:: This Web Site Has Been Hacked By Iranian Cyber Army ::.. </title> </head> <body bgcolor="#000000"> <p align="center"> </p> <p align="center"><img border="0" src="index.6.gif"><img border="0" src="index.2.gif"><img border="0" src="index.7.gif"></p> <p align="center"><img border="0" src="index.8.gif"></p> <p align="center"> <a href="mailto:[email protected]?subject=Mowjcamp"> <img border="0" src="index.5.gif"></a></p> <p align="center"><img border="0" src="index.3.jpg" width="43%" height="106%"></p> <p align="center"><font face="Tahoma" size="2"><b> </b></font></p> <p align="center"><b><font face="Tahoma" size="2" color="#FFFFFF">nbsp; بنام خدا<br> به عنوان یک ایرانی در پاسخ به دخالت های شیطنت آمیز این سرویس دهنده به دستور مقامات آمریکایی در امور داخلی کشورم ) <br> این سایت به عنوان هشدار هک می شود <br> </font></b></p> </body> </html>
Although Twitter’s security posture has been a well publicized running disaster, this particular circumstance doesn’t really fall under the same category as previous problems because this was an attack outside of the Twitter infrastructure itself. TechCrunch threw something out there about changing your passwords, always a good practice, but your password was probably not at risk during this attack.
Who says the crackers only motivation is money these days?
Critical services such as DNS, BGP Routers, and any service that can single-handedly take down your entire company should be protected by two-factor authentication. Looking at Dyn’s login page on the website, it appears the service uses standard username and password authentication without support for two-factor authentication, something we would suggest that they change or at least offer at cost to larger clients.
But the real crime, as youngluck noted on TechCrunch: “Actually, the sad thing here is that an “army” with enough sophistication to take down Twitter, could have a graphic design department that could suck this bad.”
We’ll update the post if Twitter uncharacteristically provides more information about what happened.
Filed Under: Web Site Defacement