Iran Election Guide

Donate to EAWV





Or, click to learn more

Search

Entries in Iranian Cyber Army (2)

Saturday
Dec192009

Iran Special: Austin Heap on "The Attack on Twitter"

TWITTER CYBER-ATTACKAustin Heap, one of the most prominent activists on the Internet and Iran (see, for example, "The Haystack Project" to provide unfiltered Web access to Iranians), writes a guest blog for Enduring America on yesterday's diversion of Twitter users to the page of the "Iranian Cyber Army":

There were probably a few odd text messages whizzing around in San Francisco at 11 PM on Thursday night at a place called Dyn. It's a company that most people had not heard of, even though it powers websites such as Facebook, LinkedIn, Flickr, YouTube, and Vimeo. They even have a catchy motto: "Uptime is the Bottom Line". Now, however, a group calling itself the "Iranian Cyber Army" had hacked Dyn's servers and changed only a tiny line of text. The outcome was the "occupation" of Twitter, causing a two-hour outage of service for Tweeters around the world.

Iran: The Regime Takes On (Hacks?) Twitter for Moharram
The Latest from Iran (19 December): After the Mythical “Millions”

Dyn offers a service called managed DNS hosting. Essentially a yellow pages for the Internet, DNS translates lettered website names into an IP address, like phone numbers for computers. When you type in enduringamerica.com on your browser, a request is sent out to a DNS server. The DNS server responds to your browser and says, "enduringamerica.com's IP address is XX.XX.XX.XXX", then your browser "calls" that IP.

Twitter uses Dyn's managed DNS service, so when you visit Twitter's website, your browser first asks Dyn where to find Twitter. Instead of the request being pointed to the correct location, the hackers changed the program so Dyn would tell users around the world that Twitter was now hosted on a server in Provo, Utah, run by a company called Bluehost.

For a handful of frantic hours, when someone tried to reach Twitter's site, they were diverted to a page of the "Iranian Cyber Army". The cyber-warriors greeted them with a message in Arabic and Farsi, placed atop and on a green flag:

Peace be with you. Ya Hossein! If the leader orders us to, we will attack and if he wants us to, we will lose our heads. If he wants us to have patience and wait, we shall sit down and put up with it.

It's a bold move by a group about which people knew little if anything, even though "the Iranian Cyber Army" had pulled off the same manoeuvre days earlier with the prominent Green movement website Mowj-e-Sabz, which has now suspended publication.

The question remains: who are they --- cyber-renegades or a group affiliated with the Iranian regime? Octavia Nasr, CNN's senior editor for Middle East affairs, dramatically announced yesterday, "The hackers are definitely Shiites, as indicated by the 'Ya Hussein' chant printed on their banner." That, however, is far from a solving of the mystery, since the vast majority of Iranians are Shia.

On the surface, it seems unlikely that the Government of Iran would attack a private company in America and even less likely that they would post what amounts to a ransom note with a pretty graphic on it. Sure, government hacking goes on all the time, and the US has even been caught with its hands in some of Iran's most private servers, but that did not come to light until three years after it happened. The threat of exposure of regime responsibility for this incident, with its high-profile target, is much greater.

Meanwhile, the on-line enquiry continues. Given the enormous influx in traffic to their servers from millions of tweeters, one would have expect Bluehost to notice and fix the problem at lighting speed. When asked why they had not responded faster, while the hack was still underway, Bluehost declined to answer. They have since removed the account that was used to host the attackers' message. Twitter also declined to comment beyond their initial verification, which of course came in a Tweet --- their "DNS records were temporarily compromised".

UPDATE: From Bluehost: "Bluehost is a leading Web hosting company that provides services to nearly 2 million Web sites. Bluehost discovered that Twitter.com had been the victim of a DNS compromise and, further, that the attackers had redirected some of the Twitter traffic to an account hosted on Bluehost servers. This customer account on BlueHost was setup using a stolen identity and credit card, as determined by the Bluehost verification department. The Bluehost abuse department immediately terminated this account. Contact was made by Bluehost to law enforcement agents to assist in all ongoing investigations."

UPDATE2: The kind folks at Internet Identity passed along the DNS change records for twitter.com:
2009-12-17 22:01 (PST) 2009-12-18 06:01 UTC www.twitter.com, twitter.com A Records pointed to 74.217.128.160

2009-12-17 22:14 (PST) 2009-12-18 06:14:20 UTC
twitter.com A Records pointed to 69.59.28.85

2009-12-17 22:24 (PST) 2009-12-17 06:24 UTC
twitter.com A Records pointed to 66.147.242.88

2009-12-17 23:11 (PST) 2009-12-18 07:11 UTC
A Records corrected and pointing back to allowed range for resolution

As you can see, the attackers tried three different hosts before sticking with Bluehost. First it was NetFirms, then it was CaroNet, and finally Bluehost.


UPDATE3: From Twitter: "Domain Name System or DNS is an Internet protocol used to translate IP addresses into domain names so instead of typing in a long string of numbers we can enter urls like www.twitter.com into a browser to visit our favorite web sites. Last night, DNS settings for the Twitter web site were hijacked. From 9:46pm to 11pm PST, approximately 80% of Traffic to Twitter.com was redirected to other web sites. We tweeted, blogged, and updated our status page last night.

During the attack, we were in direct contact with our DNS provider, Dynect. We worked closely to reset our DNS as quickly as possible. The motive for this attack appears to have been focused on defacing our site, not aimed at users we don’t believe any accounts were compromised."
Friday
Dec182009

Iran: The Regime Takes On (Hacks?) Twitter for Moharram

TWITTER CYBER-ATTACKUPDATE 1320 GMT: HomyLafayette offers an important correction on the text used by the "Iranian Cyber Army" (see 0945 GMT): "The red text on the green flag in fact reads, 'O Hossein, peace be upon him,' referring to Imam Hossein, a key figure in Islam and the 3rd Imam of Shiites." It is Hossein's death that is commemorated in the month of Moharram that starts today.

UPDATE 1010 GMT: Twitter has posted, “Twitter’s DNS [Domain Name System] records were temporarily compromised but have now been fixed. We are looking into the underlying cause and will update with more information soon.”

UPDATE 0945 GMT: When FoxNews caught up with this story, they included this information:

"Above the flag, in Arabic, read: 'Hezbollah is victorious.' On the flag, in red Arabic writing: 'Yassin' (an Arabic name written in bold) then in smaller Arabic print 'the feast of peace'. Below the flag was more written in Farsi."



0755 GMT: We just found the screenshot of Twitter's website when it was "occupied" by the "Iranian Cyber Army". It is the same text and image that appeared on the Green Movement's website Mowj-e-Sabz on Wednesday.

I woke this morning to find that Twitter was running extremely slowly and sometimes grinding to a halt. Indeed, since 1200 GMT yesterday there have been serious slow-downs in delivery of messages.

Service is now picking up, but the hot story is that Twitter was hacked yesterday by the "Iranian Cyber Army" with this message:
THIS SITE HAS BEEN HACKED BY IRANIAN CYBER ARMY

iRANiAN.CYBER.ARMY@GMAIL.COM


U.S.A. Think They Controlling And Managing Internet By Their Access, But THey Don’t, We Control And Manage Internet By Our Power, So Do Not Try To Stimulation Iranian Peoples To….



NOW WHICH COUNTRY IN EMBARGO LIST? IRAN? USA?
WE PUSH THEM IN EMBARGO LIST ;)
Take Care.


Sharp-eyed EA readers will recognise that "Iranian Cyber Army" is the same group that took over the domain of the Green Movement's website Mowj-e-Sabz/Mowjcamp earlier this week.

The Latest from Iran (18 December): Moharram Begins



Yet, in this apparent victory for Iranian cyber-warfare, there lies I think a greater admission of defeat. If Twitter  has not been that important in the challenge to the regime's legitimacy since the Presidential election of June, why try to knock it out --- raising the ire of millions of users who so far have had little interest in the events in Iran --- at the start of Moharram? That seems more a confession of worry than an assertion of strength.

And it is one thing to take out an opposition website; another to try and still one of the most significant global shifts in the use of the Internet. For a few hours, yes, but for all of today? And the next day? And all the way to the likely mass protests on Ashura on 27 December?

So, if the Iranian Cyber Army did indeed take on and for, at least a moment, knock down Twitter....it may be time to look up the definition of "Pyrrhic victory".