There were probably a few odd text messages whizzing around in San Francisco at 11 PM on Thursday night at a place called Dyn. It's a company that most people had not heard of, even though it powers websites such as Facebook, LinkedIn, Flickr, YouTube, and Vimeo. They even have a catchy motto: "Uptime is the Bottom Line". Now, however, a group calling itself the "Iranian Cyber Army" had hacked Dyn's servers and changed only a tiny line of text. The outcome was the "occupation" of Twitter, causing a two-hour outage of service for Tweeters around the world.
Iran: The Regime Takes On (Hacks?) Twitter for Moharram
The Latest from Iran (19 December): After the Mythical “Millions”
Dyn offers a service called managed DNS hosting. Essentially a yellow pages for the Internet, DNS translates lettered website names into an IP address, like phone numbers for computers. When you type in enduringamerica.com on your browser, a request is sent out to a DNS server. The DNS server responds to your browser and says, "enduringamerica.com's IP address is XX.XX.XX.XXX", then your browser "calls" that IP.
Twitter uses Dyn's managed DNS service, so when you visit Twitter's website, your browser first asks Dyn where to find Twitter. Instead of the request being pointed to the correct location, the hackers changed the program so Dyn would tell users around the world that Twitter was now hosted on a server in Provo, Utah, run by a company called Bluehost.
For a handful of frantic hours, when someone tried to reach Twitter's site, they were diverted to a page of the "Iranian Cyber Army". The cyber-warriors greeted them with a message in Arabic and Farsi, placed atop and on a green flag:
Peace be with you. Ya Hossein! If the leader orders us to, we will attack and if he wants us to, we will lose our heads. If he wants us to have patience and wait, we shall sit down and put up with it.
It's a bold move by a group about which people knew little if anything, even though "the Iranian Cyber Army" had pulled off the same manoeuvre days earlier with the prominent Green movement website Mowj-e-Sabz, which has now suspended publication.
The question remains: who are they --- cyber-renegades or a group affiliated with the Iranian regime? Octavia Nasr, CNN's senior editor for Middle East affairs, dramatically announced yesterday, "The hackers are definitely Shiites, as indicated by the 'Ya Hussein' chant printed on their banner." That, however, is far from a solving of the mystery, since the vast majority of Iranians are Shia.
On the surface, it seems unlikely that the Government of Iran would attack a private company in America and even less likely that they would post what amounts to a ransom note with a pretty graphic on it. Sure, government hacking goes on all the time, and the US has even been caught with its hands in some of Iran's most private servers, but that did not come to light until three years after it happened. The threat of exposure of regime responsibility for this incident, with its high-profile target, is much greater.
Meanwhile, the on-line enquiry continues. Given the enormous influx in traffic to their servers from millions of tweeters, one would have expect Bluehost to notice and fix the problem at lighting speed. When asked why they had not responded faster, while the hack was still underway, Bluehost declined to answer. They have since removed the account that was used to host the attackers' message. Twitter also declined to comment beyond their initial verification, which of course came in a Tweet --- their "DNS records were temporarily compromised".
UPDATE: From Bluehost: "Bluehost is a leading Web hosting company that provides services to nearly 2 million Web sites. Bluehost discovered that Twitter.com had been the victim of a DNS compromise and, further, that the attackers had redirected some of the Twitter traffic to an account hosted on Bluehost servers. This customer account on BlueHost was setup using a stolen identity and credit card, as determined by the Bluehost verification department. The Bluehost abuse department immediately terminated this account. Contact was made by Bluehost to law enforcement agents to assist in all ongoing investigations."
UPDATE2: The kind folks at Internet Identity passed along the DNS change records for twitter.com:
2009-12-17 22:01 (PST) 2009-12-18 06:01 UTC www.twitter.com, twitter.com A Records pointed to 126.96.36.199
2009-12-17 22:14 (PST) 2009-12-18 06:14:20 UTC
twitter.com A Records pointed to 188.8.131.52
2009-12-17 22:24 (PST) 2009-12-17 06:24 UTC
twitter.com A Records pointed to 184.108.40.206
2009-12-17 23:11 (PST) 2009-12-18 07:11 UTC
A Records corrected and pointing back to allowed range for resolution
As you can see, the attackers tried three different hosts before sticking with Bluehost. First it was NetFirms, then it was CaroNet, and finally Bluehost.
UPDATE3: From Twitter: "Domain Name System or DNS is an Internet protocol used to translate IP addresses into domain names so instead of typing in a long string of numbers we can enter urls like www.twitter.com into a browser to visit our favorite web sites. Last night, DNS settings for the Twitter web site were hijacked. From 9:46pm to 11pm PST, approximately 80% of Traffic to Twitter.com was redirected to other web sites. We tweeted, blogged, and updated our status page last night.
During the attack, we were in direct contact with our DNS provider, Dynect. We worked closely to reset our DNS as quickly as possible. The motive for this attack appears to have been focused on defacing our site, not aimed at users we don’t believe any accounts were compromised."