Network News

X My Profile
View More Activity hijacked by 'Iranian cyber army'

Hackers hijacked the Web site of micro-blogging community early Friday, briefly redirecting users to a Web page for a group calling itself the "Iranian Cyber Army."

The attackers apparently were able to redirect Twitter users by stealing the credentials needed to administer the domain name system (DNS) records for DNS servers act as a kind of phone book for Internet traffic, translating human-friendly Web site names like "" into numeric Internet addresses that are easier for computers to handle.


"Twitter's DNS records were temporarily compromised but have now been fixed," the company said in a brief statement on its Web site. "We are looking into the underlying cause and will update with more information soon."

Twitter's DNS service is provided by Manchester, N.H. based Dyn Inc. Tom Daly, chief technology officer at Dyn, said the incident was not the result of a security failure on its services. Daly said it appears someone changed Twitter's DNS records to point visitors to a different Internet address using the proper account credentials assigned to Twitter (image above courtesy Trend Micro).

"Someone logged in who purported to be a legitimate user of their [DNS] platform account and started making changes," Daly said. "It was not a failing on our systems whatsoever."

Daly told Security Fix that the redirection lasted about 90 minutes.

"We had seen some interesting activity coming in, and said 'Hmm, there's something going on here,'" Daly said. "As soon as we detected what the issue was, we snapped into action and contacted Twitter."

It remains unclear how the user name and password needed to change Twitter's DNS records were intercepted. There are a number of possible explanations, but perhaps the most likely is that a Twitter administrator with authorized access to those credentials had his or her e-mail account hijacked. Security Fix will update this post in the event that more information becomes available.

By Brian Krebs  |  December 18, 2009; 2:00 PM ET
Categories:  Latest Warnings  
Save & Share:  Send E-mail   Facebook   Twitter   Digg   Yahoo Buzz   StumbleUpon   Technorati   Google Buzz   Previous: Group IDs hotbeds of Conficker worm outbreaks
Next: Hackers exploit Adobe Reader flaw via comic strip syndicate


We should retaliate by redirecting the traffic for the Iranian government's homepage to Bernie Goldman's Discount Dreidels website.

Posted by: ozpunk | December 18, 2009 2:36 PM | Report abuse

Criminals could do this to a bank site and steal account passwords, couldn't they? Customers could be redirected to a bogus site that looks identical and enter their name and password like nothing was wrong.

Posted by: lconkestdr | December 18, 2009 2:46 PM | Report abuse

@iconkestdr -- they can and they have. about this time last year, I broke a story about criminals hijacking the domain name records of

Posted by: BTKrebs | December 18, 2009 2:49 PM | Report abuse

in fact, probably no such animal as Iran Cyber Army.. and hacker could be a hundred different parties, from governments (USA, china, russia, Cuba_) to organized crime to nerdy tech students (quiet Jimmy in 6th grade who never says a word in class but is the school genius). even Dear North Korea. but if one can hack Twitter, it shows that other sites can be hacked with relative ease. heck, old Sarah Palin might even be doing hacking on the side prior to creating a fake McCain twitter page, or a fake Biden homepage... the possibilities are endless! twitter away, my little hummingbird!

Posted by: RoguesPalace | December 18, 2009 3:25 PM | Report abuse

This is a big story, but a high profile site like Twitter corrects its DNS entries within a couple of hours. The bigger story is the many millions of consumer computers with DNS compromised by stealthy malware that persists for days, weeks, months. Brian wrote about this back in January.

Posted by: rdickenson | December 18, 2009 3:37 PM | Report abuse

At some point, we're really gonna get irritated with Iran. I hope we have a President that isn't re-directed to the wrong country. Again.

Posted by: bgreen2224 | December 18, 2009 3:47 PM | Report abuse

Any Theocratic Government is Our Natural Enemy.
Seperation of Church and State is Our Mandate and for really good reasons. Most of which slide over the heads of these santimonious demigods. Who are lost in a call to Allah,that I find false when it includes participating in any government.
Why do we act a Hessians and fight Shias. Supporting any theocratic body of men that believe God reports directly to them is a sham as we know and they have to find it our for themselves.

Posted by: thomascanada | December 18, 2009 4:00 PM | Report abuse

In response to RoguesPalace: You know better. In point of fact, every Middle Eastern terrorist group on the planet is operating out of ARAMCO in Houston. I reported a terrorist cell operating in my home city 14 years BEFORE the OKC Murrah Bombing and no one did a thing. Now, with all that has been published -- and today's headlines concerning terrorist webs/cells and not only internet hacking but drug trafficking -- all that I tried to alert state and federal agencies has come to pass and has been profiled in the back of the 9/11 Commission Report. They are still running loose in this city, happy as little larks over the complacency of American security agencies and their cronies blatancy. There are no crimes on any financial or sociological level these terrorists have missed, including operating out of homeless shelters and the affiliated agencies.

Posted by: HeartfeltConcernedMom | December 18, 2009 4:45 PM | Report abuse

What's wrong with taking down Twitter?

Posted by: Garak | December 18, 2009 5:09 PM | Report abuse

We really haven't seen a response indicating how this can be prevented going forward. Protecting something like DNS behind only id and password authentication was bound to eventually fail, and yet that is all that most managed providers do.

When is Twitter going to move their name servers in house?

Posted by: Prefect | December 18, 2009 6:48 PM | Report abuse

Twitter's IT people are fools. DNS should be run in-house,not outsourced.

Posted by: AlbyVA | December 18, 2009 8:41 PM | Report abuse

So now it appears that the "Iranian Cyber Army" is operating out of Tel Aviv. This attack didn't do anything to benefit Iran, but its been a great propaganda tool for the Israeli's.

Posted by: brattykathyi1 | December 19, 2009 8:10 AM | Report abuse

@ brattykathy1:

Just did a google search. Found no confirmation of this assertion. Documentation, please!

Posted by: featheredge99 | December 19, 2009 11:39 PM | Report abuse


Hear, hear!! They deserve a Webbie. Best cyberattack of the year!

Posted by: featheredge99 | December 19, 2009 11:42 PM | Report abuse

In the old west, the saying was: "He who owns the gold makes the rules."

In the Internet age, its: "He who owns the DNS makes the rules."

Posted by: db16 | December 20, 2009 2:39 PM | Report abuse


Some elementary school kids most likely -- they like gmail too !!!

Posted by: | December 21, 2009 3:39 AM | Report abuse

Maybe they are also guitar heroes LOL.

Posted by: | December 21, 2009 3:42 AM | Report abuse

" Daly said. "It was not a failing on our systems whatsoever."
HOW is it not a failing of their system whatsoever?? Hey, Daly, if they get in YOU are failing!!
Time to face responsibility for inadequate cyber protection!!

Posted by: EZReader1 | December 21, 2009 12:41 PM | Report abuse

Sorry Daly, it ABSOLUTELY is a failing of your security. When you have a major site like Twitter as a customer, you should have configured their account to require verbal authentication or a call-back to a known telephone number at Twitters' office.

Twitter and Daly are BOTH fools for relying on only a username and password to protect their entire business.

Posted by: sw11231 | December 22, 2009 11:25 AM | Report abuse

The comments to this entry are closed.

RSS Feed
Subscribe to The Post

© 2010 The Washington Post Company