This article is from the source 'nytimes' and was first published or seen on . It last changed over 40 days ago and won't be checked again for changes.

You can find the current article at its original source at http://www.nytimes.com/2013/05/18/technology/financial-times-site-is-hacked.html

The article has changed 7 times. There is an RSS feed of changes available.

Version 3 Version 4
Newspaper Sites Attacked by Hackers Newspaper Sites Attacked by Hackers
(about 3 hours later)
The Web site and several Twitter accounts belonging to The Financial Times were hacked on Friday by the Syrian Electronic Army in a continuing campaign that has aimed at an array of media outlets ranging from The Associated Press to the parody site The Onion, according to a claim by the so-called army. It’s the question of the moment inside the murky realm of cybersecurity: Just who or what is the Syrian Electronic Army?
The Syrian Electronic Army said it seized control of several F.T. Twitter accounts and amended a number of the site’s blog posts with the headline “Hacked by Syrian Electronic Army.” Hackers used their access to the F.T.'s Twitter feed to post messages, including one that said, “Syrian Electronic Army Was Here,” and another that linked to a YouTube video of an execution. Both messages were quickly removed. The hacking group that calls itself the S.E.A. struck again on Friday, this time breaking into the Twitter accounts and blog headlines of The Financial Times. The attack was part of a crusade that has targeted dozens of media outlets as varied as The Associated Press and The Onion, the parody news site.
A Financial Times spokeswoman, Ryann Gastwirth, confirmed by e-mail that several of its Twitter accounts and one FT blog were compromised by hackers Friday morning and that it had secured the accounts. But just who is behind the S.E.A.’s cybervandalism remains a mystery. Paralleling the group’s boisterous, pro-Syrian government activity has been a much quieter Internet surveillance campaign aimed at revealing the identities, activities and whereabouts of the Syrian rebels fighting the government of President Bashar al-Assad.
Hacking has been an increasingly pernicious problem over the last year. The New York Times said its Web site “was subjected to denial of service attacks,” earlier this week, “which made it temporarily unavailable to a small number of users.” Now sleuths are trying to figure out how much overlap there is between the rowdy pranks playing out on Twitter and the silent spying that also increasingly includes the monitoring of foreign aid workers. It’s a high-stakes search. If researchers prove the Assad regime is closely tied to the group, foreign governments may choose to respond because the attacks have real-world consequences. The S.E.A. nearly crashed the stock market, for example, by planting false tales of White House explosions in a recent hijacking of The A.P.’s Twitter feed.
In a so-called distributed denial-of-service attack, hackers try to overhelm a site’s servers with traffic, an assault that can disrupt or block service altogether. The New York Times did not say where the attacks had originated. The mystery is made more curious by the belief among researchers that the hackers currently parading as the S.E.A. are not the same people who started the pro-Assad campaign two years ago.
The attack against the F.T. follows dozens of other Syrian Electronic Army attacks on the social media accounts of news outlets including The Guardian, the BBC, NPR, Reuters and The Associated Press. In The A.P. attack, the group used its access to the agency’s Twitter feed to plant a false story about explosions at the White House that sent the stock market into temporary free fall. Experts say the Assad regime benefits from the ambiguity. “They have created extra space between themselves and international law and international opinion,” said James A. Lewis, a security expert with the Center for Strategic and International Studies.
Researchers who have been conducting digital forensics on these attacks say they are done through so-called spearphishing, in which attackers send e-mails that contain a link to a fake news article to employees at their target organization. The S.E.A. emerged during the Syrian uprisings in May 2011, they said, to offer a pro-Assad counternarrative to news coming out of Syria. In speeches, Mr. Assad likened the S.E.A. to the government’s own online security corps, referring to the group as “a real army in a virtual reality.”
Once clicked, the link redirects employees to a fake Google or Microsoft mail site that asks the employee for their user name and password. The hackers then use that information to get inside employees’ inboxes, where they can send more e-mails to employees who have access to the organization’s social media accounts, then use that access to reset the organization’s password to their Twitter account. In its early incarnation, researchers said, the S.E.A. had a clearly defined hierarchy, with leaders, technical experts, a media arm and hundreds of volunteers. Several early members belonged to the Syrian Computer Society, a technical organization run by Mr. Assad before he became president. Until last month, digital records suggest, the Syrian Computer Society still ran much of the S.E.A.’s infrastructure. In April, a raid of S.E.A. Web domains revealed that the majority were still registered to the society.
In the attack on The A.P., a hacker who identifies himself as “Th3 Pr0” and a member of the Syrian Electronic Army said in an e-mail that the group convinced 50 A.P. employees to hand over their login credentials, including several of the organization’s social media editors. The hacker sent screenshots taken during the attack to prove the Syrian group was behind it, an assertion researchers confirm. S.E.A. members initially created pro-Assad Facebook pages and spammed popular pages like President Obama’s and Oprah Winfrey’s with pro-Syrian comments. But by the fall of 2011, S.E.A. activities had become more premeditated. They defaced prominent Web sites like Harvard University’s with pro-Assad messages, in an attack a spokesman characterized as sophisticated.
Security researchers who have been tracking the group since its inception in early 2011 have traced several of the attacks to a Web server in Russia that they believe redirects attack traffic from within Syria. Last weekend, one researcher traced an attack back to an Internet address in Syria that is registered to Syriatel, the Syrian telecommunications company owned by Rami Makhlouf, a first cousin of the Syrian president, Bashar al-Assad. At some point, the S.E.A.’s crucial players disappeared and a second crop of hackers took over. The current group consists of roughly a dozen new actors led by hackers who call themselves “Th3 Pr0” and “The Shadow” and function more like Anonymous, the loose hacking collective, than a state-sponsored brigade. In interviews, people who now identify as the S.E.A. insist they operate independently from the Assad regime. But researchers who have been following the group’s digital trail aren’t convinced.
Activists point to that connection as proof that the Syrian Electronic Army is backed by the Assad regime, an assertion that members deny. “The opportunity for collaboration between the S.E.A. and regime is clear, but what is missing is proof,” said Jacob West, a chief technology officer at Hewlett-Packard. As governments consider stronger responses to malicious cyberactivity, Mr. West said, “the motivation for Syria to maintain plausible deniability is very, very real.”
In an e-mail, Th3 Pr0 said the Syrian Electronic Army has two seemingly contradictory missions. The first is to “attack the media and spread truth on it” and the second is to “make damage to a specific country or to the terrorist groups in Syria by using the famous media’s social media accounts or Web sites to publish false news.” Long before the S.E.A’s apparent changing of the guard, security researchers unearthed a stealthier surveillance campaign targeting Syrian dissidents that has since grown to include foreign aid workers. Morgan Marquis-Boire, a researcher at the Citizen Lab at the University of Toronto, uncovered spyware with names like “Dark Comet” and “BlackShades” sending information back to Syria’s Ministry of Communications. The software which tracked a target’s location, read e-mails and logged keystrokes disguised itself as an encryption service for Skype, a program used by many Syrian activists.
Meanwhile, the Syrian Electronic Army itself became a hacking target this week. Anonymous, the loose hacking collective, took the group’s Web site offline in a type of digital attack called a distributed denial of service, or DDoS, in which they flood the site with traffic until it collapses under the load. Mr. Marquis-Boire has uncovered more than 200 Internet Protocol addresses running the spyware. Some were among the few kept online last week during an Internet disruption in Syria that the government blamed on a “technical malfunction,” but experts described as a systematic government shutdown.
S.E.A. members deny spying on Syrian civilians. “We didn’t do that and we will not,” the hacker who identifies himself as Th3 Pr0 wrote in an e-mail. “Our targets are known,” he wrote, referring to ithe group’s public Twitter attacks. Researchers have tracked several of those attacks — including that on The Onion and another against Human Rights Watch in March — to a server in Russia, which they believe is redirecting attacks from Syria. Last weekend, researchers traced one attack back to a Syrian I.P. address registered to Syriatel, a telecommunications company owned by Rami Makhlouf, Mr. Assad’s first cousin.
Dissidents say that connection is proof the S.E.A. is backed by the Assad regime and claim that the Twitter attacks are just the outward-facing component of a deeper surveillance campaign.
“There is no doubt they are the same,” said Dlshad Othman, a Syrian in Washington who helps dissidents get rid of the spyware.
The smoking gun, Mr. Othman and others say, was an S.E.A. attack last year on Burhan Ghalioun, a Syrian opposition leader. Shortly after Mr. Ghalioun’s Facebook page was hacked, it began serving spyware to fans. Mr. Ghalioun’s e-mails also showed up on a S.E.A. leak site.
The other potential link, they say, is a list of opposition leaders that surfaced in July, after S.E.A. members boasted they could help the regime quickly search for the names of opponents. Mr. Othman said the boasts were proof the S.E.A. worked with the regime and kept tabs on dissidents.
Ironically, that opposition search most likely led to the S.E.A.’s internal shake-up. Activists say encryption on the document was cracked, and in July it popped up on Pastebin, a Web site for anonymous postings.
“There was a view that the government blamed the S.E.A. for the leak,” said John Scott-Railton, a Citizen Lab research fellow.
In the days that followed, Facebook accounts for known S.E.A. members went dark. S.E.A. aliases that researchers had been tracking suddenly vanished. New members with different monikers assumed the group’s name. Researchers say the hackers behind the recent spate of Twitter hacks are far less organized.
Outside Syria, the Twitter attacks made people take note of the S.E.A. But inside Syria, they barely registered. Dissidents there are more concerned with the mounting spyware infections and imprisonments. And researchers have seen the spyware tracking a new target: aid workers.
“The Syrian opposition are quite paranoid and aware of the stakes,” Mr. Marquis-Boire said. “But then you get foreign aid workers who show up to do good work, but are not as paranoid about their operational security.”
“It’s a smart move if you think about it,” he added.

This article has been revised to reflect the following correction:

This article has been revised to reflect the following correction:

Correction: May 17, 2013Correction: May 17, 2013

An earlier version of this article referred incorrectly to a representative of The Financial Times, Ryann Gastwirth. She is a spokeswoman, not a spokesman.

An earlier version of this article referred incorrectly to a representative of The Financial Times, Ryann Gastwirth. She is a spokeswoman, not a spokesman.