A group called the Iranian Cyber Army has, fresh off the heels of their DNS attack on Twitter last month, hijacked the domain of Chinese search engine Baidu.com. Baidu is one of the most popular web sites in the world, a NASDAQ 100 multimedia company headquartered in Beijing that indexes over 740 million web pages for search and provides music and video content. The company employs over 6,000 people, has a 77% market share for search in China, and has annual revenue of about $200mm. For about three hours they were an advertising platform for a hacktivist group supporting the fundamentalist Islamic regime in Iran.
Such digital attacks for political purposes are sometimes referred to as hacktivism, usually defined as “the nonviolent use of illegal or legally ambiguous digital tools in pursuit of political ends”.
The IP address baidu.com pointed to temporarily routed to 220.127.116.11 in Houston Texas when we pinged it, to a site hosted via ISP ThePlanet.com. The site normally shows hosts in Beijing, China, hosted by China Unicom (example: 18.104.22.168 is back up now). It appeared last night that the defacement site was hosted at a couple of different places.
The site as it appeared for about three hours today:
Baidu.com as it normally appears:
Two other domain names are referenced on the page: cyberarmyofiran.com and ircarmy.com. The first, IP 22.214.171.124, shows hosting by Netfirms in Markham Ontario in Canada. The second, ircarmy.com, is at IP 126.96.36.199, showing hosting by Yahoo in Sunnyvalue, California.
This is the same group responsible for the attacks on Twitter and mowjcamp.org last month, Twitter having gone down for a while the evening of December 17th. During the attack on Twitter a bad actor used an id and password assigned to Twitter to log in to the administrative portal of managed DNS service provider Dyn.
At the time that Baidu.com was being redirected, we were seeing different SOA and NS results for the Baidu.com domain name. A simple script was used to look at this data:
$ sh dnsbaidu.com [baidu.com]---------------------- ---[resolver.qwest.net]--- ---[SOA]--- dns.baidu.com. sa.baidu.com. 2010011101 300 300 2592000 7200 ---[NS]--- ns3.baidu.com. ns2.baidu.com. dns.baidu.com. ns4.baidu.com. ---[188.8.131.52]--- ---[SOA]--- ---[NS]--- ---[184.108.40.206]--- ---[SOA]--- dns204.a.register.com. root.register.com. 2010011108 28800 7200 604800 14400 ---[NS]--- dns050.c.register.com. dns204.a.register.com. dns010.d.register.com. dns190.b.register.com. ---[220.127.116.11]--- ---[SOA]--- dns.baidu.com. sa.baidu.com. 2010011101 300 300 2592000 7200 ---[NS]--- dns.baidu.com. ns2.baidu.com. ns3.baidu.com. ns4.baidu.com. ---[18.104.22.168]--- ---[SOA]--- dns.baidu.com. sa.baidu.com. 2010011101 300 300 2592000 7200 ---[NS]--- dns.baidu.com. ns2.baidu.com. ns3.baidu.com. ns4.baidu.com. ---[22.214.171.124]--- ---[SOA]--- ns1.coolhandle.com. server.pronethosting.net. 2010011101 86400 7200 3600000 86400 ---[NS]--- ns2.coolhandle.com. ns1.coolhandle.com.
50.0% of queries will be returned by 126.96.36.199 (ns2303.hostgator.com) baidu.com. 86400 IN SOA ns2303.hostgator.com. dnsadmin.gator1152.hostgator.com. ( 2010011202 ; Serial 86400 ; Refresh 7200 ; Retry 3600000 ; Expire 86400 ) ; Minimum TTL 50.0% of queries will be returned by 188.8.131.52 (ns2304.hostgator.com) baidu.com. 86400 IN SOA ns2303.hostgator.com. dnsadmin.gator1152.hostgator.com. ( 2010011202 ; Serial 86400 ; Refresh 7200 ; Retry 3600000 ; Expire 86400 ) ; Minimum TTL
Out of all the DNS results, only Google (184.108.40.206) and Qwest (resolver.qwest.net) return correct answers for Baidu’s NS records. The others, OpenDNS (220.127.116.11), Level 3 (18.104.22.168 & 22.214.171.124), and Squishywishywoo returned incorrect results.
We are able to check for the correct expected results by looking at the WHOIS data provided by register.com. Register.com is the service that the Baidu.com domain was registered with and is the definitive authority for that domain.
definitive Registrant: Domain Discreet ATTN: baidu.com Rua Dr. Brito Camara, n 20, 1 Funchal, Madeira 9000-039 PT Phone: 1-902-7495331 Email: [email protected] Registrar Name....: Register.com Registrar Whois...: whois.register.com Registrar Homepage: www.register.com Domain Name: baidu.com Created on..............: 1999-10-11 Expires on..............: 2014-10-11 Administrative Contact: Domain Discreet ATTN: baidu.com Rua Dr. Brito Camara, n 20, 1 Funchal, Madeira 9000-039 PT Phone: 1-902-7495331 Email: [email protected] Technical Contact: Domain Discreet ATTN: baidu.com Rua Dr. Brito Camara, n 20, 1 Funchal, Madeira 9000-039 PT Phone: 1-902-7495331 Email: [email protected] DNS Servers: ns3.baidu.com ns2.baidu.com ns4.baidu.com dns.baidu.com
In directly querying the listed authoritative servers with the dig command, we are able to display the data that the rest of the world should be seeing.
dig @126.96.36.199 baidu.com SOA (~/tmp/new) ; <<>> DiG 9.6.0-APPLE-P2 <<>> @188.8.131.52 baidu.com SOA ; (1 server found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 26843 ;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 4, ADDITIONAL: 4 ;; WARNING: recursion requested but not available ;; QUESTION SECTION: ;baidu.com. IN SOA ;; ANSWER SECTION: baidu.com. 7200 IN SOA dns.baidu.com. sa.baidu.com. 2010011101 300 300 2592000 7200 ;; AUTHORITY SECTION: baidu.com. 86411 IN NS dns.baidu.com. baidu.com. 86411 IN NS ns2.baidu.com. baidu.com. 86411 IN NS ns3.baidu.com. baidu.com. 86411 IN NS ns4.baidu.com. ;; ADDITIONAL SECTION: dns.baidu.com. 300 IN A 184.108.40.206 ns2.baidu.com. 300 IN A 220.127.116.11 ns3.baidu.com. 300 IN A 18.104.22.168 ns4.baidu.com. 300 IN A 22.214.171.124 ;; Query time: 308 msec ;; SERVER: 126.96.36.199£53(188.8.131.52) ;; WHEN: Tue Jan 12 00:17:03 2010 ;; MSG SIZE rcvd: 202
The key thing to note is the SOA serial number
2010011101. When a recursive DNS server such as Google’s 184.108.40.206 receives a request for Baidu.com and it does not have that data in its DNS cache, it will proceed down the DNS hierarchy to find the authoritative DNS server for the domain and request the needed data. The authoritative DNS server will return the requested data and the current serial number, which in this case is
2010011101. The recursive DNS server will return the cached results, but after a timeout period it will go back to the authoritative DNS server, send the serial number it has in the cache, and ask if it needs an update on the date. The authoritative DNS server will then compare the request and internal number to see if there needs to be an update.
The issue with this comes into play in our data above; OpenDNS’s results show an SOA serial number of
2010011101, which is correct, but also contain the wrong NS server entries for Baidu.com. When OpenDNS goes and asks the authoritative DNS server if it needs to update data it will be told no due to the matching SOA records; thus, it will continue returning bad DNS data until the authoritative DNS server changes the serial number.
With this data in mind, we would ascertain that the changes were initially made at .com level, most likely through Register.com to point the Baidu.com domain name to DNS servers controlled by the attackers. When we dug into DNS records, Register’s were corrected, but the cached bad records out on the other DNS servers still existed. While we can’t confirm this with certainty, the data found in DNS would lead to this conclusion.
A recommendation to Baidu.com’s DNS administrators is to update their serial numbers to something higher than
2010011202 as that has been the highest serial number we have see on any DNS server. This will force cached servers to update their records to the proper entries.
Translation of the Text
The text is Persian and translates roughly to:
"Iranian (Persian) Cyber Army, is formed (and is on the move), in protest for the meddling of the foreign and Zionist sites in our countries domestic affairs and broadcasting of false news and inciting of conflict."
The text in the middle says “Dear Hussein”, perhaps in reference to Imam Hussein.
A similar sentiment to the messages present in the attack on Twitter.
The name Baidu comes from an 800 year old Chinese poem written during the Song Dynasty. The poem compares the search for retreating beauty amid chaotic glamor with the search for one’s dream impeded by life’s obstacles. And we have ‘Google’.
While pressured to intervene as a response to Iran’s nuclear ambitions, China has for the most part stayed clear of speaking out on the subject. Businesses in China have served as intermediaries for products imported from Iran that are then shipped to U.S. firms, in violation of U.S. economic sanctions against Iran. For these reasons, it is unclear how attacking a Chinese search engine fits into the strategy of this hacktivist pro-Iranian government group. It may have just been that baidu.com was an opportunity to spread their message on a high profile web site.