Iran Election Guide

Donate to EAWV

Or, click to learn more


« The Latest from Iran (19 December): After the Mythical "Millions" | Main | Israel & Turkey: Repairing Relations, Leaving Gaza Behind? »

Iran Special: Austin Heap on "The Attack on Twitter"

TWITTER CYBER-ATTACKAustin Heap, one of the most prominent activists on the Internet and Iran (see, for example, "The Haystack Project" to provide unfiltered Web access to Iranians), writes a guest blog for Enduring America on yesterday's diversion of Twitter users to the page of the "Iranian Cyber Army":

There were probably a few odd text messages whizzing around in San Francisco at 11 PM on Thursday night at a place called Dyn. It's a company that most people had not heard of, even though it powers websites such as Facebook, LinkedIn, Flickr, YouTube, and Vimeo. They even have a catchy motto: "Uptime is the Bottom Line". Now, however, a group calling itself the "Iranian Cyber Army" had hacked Dyn's servers and changed only a tiny line of text. The outcome was the "occupation" of Twitter, causing a two-hour outage of service for Tweeters around the world.

Iran: The Regime Takes On (Hacks?) Twitter for Moharram
The Latest from Iran (19 December): After the Mythical “Millions”

Dyn offers a service called managed DNS hosting. Essentially a yellow pages for the Internet, DNS translates lettered website names into an IP address, like phone numbers for computers. When you type in on your browser, a request is sent out to a DNS server. The DNS server responds to your browser and says, "'s IP address is XX.XX.XX.XXX", then your browser "calls" that IP.

Twitter uses Dyn's managed DNS service, so when you visit Twitter's website, your browser first asks Dyn where to find Twitter. Instead of the request being pointed to the correct location, the hackers changed the program so Dyn would tell users around the world that Twitter was now hosted on a server in Provo, Utah, run by a company called Bluehost.

For a handful of frantic hours, when someone tried to reach Twitter's site, they were diverted to a page of the "Iranian Cyber Army". The cyber-warriors greeted them with a message in Arabic and Farsi, placed atop and on a green flag:

Peace be with you. Ya Hossein! If the leader orders us to, we will attack and if he wants us to, we will lose our heads. If he wants us to have patience and wait, we shall sit down and put up with it.

It's a bold move by a group about which people knew little if anything, even though "the Iranian Cyber Army" had pulled off the same manoeuvre days earlier with the prominent Green movement website Mowj-e-Sabz, which has now suspended publication.

The question remains: who are they --- cyber-renegades or a group affiliated with the Iranian regime? Octavia Nasr, CNN's senior editor for Middle East affairs, dramatically announced yesterday, "The hackers are definitely Shiites, as indicated by the 'Ya Hussein' chant printed on their banner." That, however, is far from a solving of the mystery, since the vast majority of Iranians are Shia.

On the surface, it seems unlikely that the Government of Iran would attack a private company in America and even less likely that they would post what amounts to a ransom note with a pretty graphic on it. Sure, government hacking goes on all the time, and the US has even been caught with its hands in some of Iran's most private servers, but that did not come to light until three years after it happened. The threat of exposure of regime responsibility for this incident, with its high-profile target, is much greater.

Meanwhile, the on-line enquiry continues. Given the enormous influx in traffic to their servers from millions of tweeters, one would have expect Bluehost to notice and fix the problem at lighting speed. When asked why they had not responded faster, while the hack was still underway, Bluehost declined to answer. They have since removed the account that was used to host the attackers' message. Twitter also declined to comment beyond their initial verification, which of course came in a Tweet --- their "DNS records were temporarily compromised".

UPDATE: From Bluehost: "Bluehost is a leading Web hosting company that provides services to nearly 2 million Web sites. Bluehost discovered that had been the victim of a DNS compromise and, further, that the attackers had redirected some of the Twitter traffic to an account hosted on Bluehost servers. This customer account on BlueHost was setup using a stolen identity and credit card, as determined by the Bluehost verification department. The Bluehost abuse department immediately terminated this account. Contact was made by Bluehost to law enforcement agents to assist in all ongoing investigations."

UPDATE2: The kind folks at Internet Identity passed along the DNS change records for
2009-12-17 22:01 (PST) 2009-12-18 06:01 UTC, A Records pointed to

2009-12-17 22:14 (PST) 2009-12-18 06:14:20 UTC A Records pointed to

2009-12-17 22:24 (PST) 2009-12-17 06:24 UTC A Records pointed to

2009-12-17 23:11 (PST) 2009-12-18 07:11 UTC
A Records corrected and pointing back to allowed range for resolution

As you can see, the attackers tried three different hosts before sticking with Bluehost. First it was NetFirms, then it was CaroNet, and finally Bluehost.

UPDATE3: From Twitter: "Domain Name System or DNS is an Internet protocol used to translate IP addresses into domain names so instead of typing in a long string of numbers we can enter urls like into a browser to visit our favorite web sites. Last night, DNS settings for the Twitter web site were hijacked. From 9:46pm to 11pm PST, approximately 80% of Traffic to was redirected to other web sites. We tweeted, blogged, and updated our status page last night.

During the attack, we were in direct contact with our DNS provider, Dynect. We worked closely to reset our DNS as quickly as possible. The motive for this attack appears to have been focused on defacing our site, not aimed at users we don’t believe any accounts were compromised."

Reader Comments (6)

[...] Heap has an article about the hack on EA Iran Special: Austin Heap on “The Attack on Twitter” | Enduring America [...]

What no one has talked about much was the statement by Mowjcamp that the job on their site was done by hired Russian hackers. When Twitter users first noticed the hacked Mowjcamp home page they were joking about a new Maoist-Shiite Liberation Front because of the Soviet-style red font used and the stars on either end of the first line of text. The statement by Mowjcamp blaming Russian (or Russian-trained) hackers came 2 days after the Twitter comments. I know Russia is in the opposition's dog house these days - but could it be true?

December 19, 2009 | Unregistered CommenterCatherine

As a journalist who has covered the Islamic Republic of Iran's repression of queers for the last 5 years (as International Affairs Editor of Gay City News) I can say that this attack on Twitter smacks of another attack by the large cyberdivision of the Iranian Ministry of the Interior, which has a long record of such things. For gays it began in earnest a few years ago after the worldwide protests against the hanging of two teenage lads for sodomy in the "holy" city of Mashad. Hackers working for the Interior Ministry then disabled websites like that of the Iranian Queer Organization (then known as the Persian Gay and Lesbian Organization) that that of the U.K.'s best-known gay campaigner, noted human rights activist Peter Tatchell. There have been an incredible number of other such attacks on the web sites of groups and persons to which the theocratic regime is hostile in the years since then. (An extensive program of Internet entrapment of queers by agents of the dreaded Basiji, the thuggish parapolice who enforce morality under the control of the clergy and the Interior Ministry, has also been under way since the election of Ahmadinejad, and I've interviewed some of those entrapped, who were tortured and forced to reveal the names of other queers they knew.
Roughly four weeks ago, a much-intensified campaign of disruption of both electronic and telephonic communications, aimed at the democratic opposition in Iran, began. I experienced this first hand two weeks ago when interviewing two Iranians by telephone: both conversations were suddenly terminated iin mid-sentence when the name of Ahmadinejad was mentioned critically.
The use of a front group created by the Ahmadinejad regime for the purpose of attacking an American Internet company to shield the regime from being held responsible for the attack is the most likely origin of the "Iranian Cyber Army" attack on Twitter. Anyone interested in reading my latest report on Iran, published December 10 and headlined "Twelve Men Face Execution for Sodomy in Iran," which includes a long interview with an Iranian university student queer activist, may click on
DOUG IRELAND (International Affairs Editor, Gay City News, NYC)

December 19, 2009 | Unregistered CommenterDoug Ireland

One might mention that Austin Heap is not only one of the most prominent #Iran #humanrights (#iranelection) activists on Twitter but, also, one of the most respected. His total dedication to the freedom and human rights of Iranians, in those early days, made a significant difference to their well-being.

Austin has had an important impact on the ability of Iranians to let their in-country compatriots and the rest of the world keep up with what is happenning there.

He did all this while, also, having to throw together a 501 (c) 3, raise funds through PayPal, buy equipment and put together a trustworthy team of helpers.

If there is no appropriate prize for his contributions, this year, he should at least get to know that he is beloved by those around the world who recognize his sacrifices for the cause of human rights and media freedom.

December 19, 2009 | Unregistered Commenter808lika

[Deleted by moderator]

December 23, 2009 | Unregistered CommenterJamshid

[Deleted by moderator]

December 23, 2009 | Unregistered CommenterJamshid

PostPost a New Comment

Enter your information below to add a new comment.

My response is on my own website »
Author Email (optional):
Author URL (optional):
Some HTML allowed: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <code> <em> <i> <strike> <strong>