Several domains including New York Times and Twitter ones attacked by Syrian Electronic Army

During the last few hours several domains including the one from The New York Times have been redirected to a Syrian Electronic Army server. Here is the list of domains pointing to that server:

Returned 39 RRs in 1.50 seconds.
sokiland.fr.nf. A 141.105.64.37
sea.sy. A 141.105.64.37
m.sea.sy. A 141.105.64.37
mob.sea.sy. A 141.105.64.37
www.mob.sea.sy. A 141.105.64.37
leaks.sea.sy. A 141.105.64.37
www.leaks.sea.sy. A 141.105.64.37
storm-paradize.us. A 141.105.64.37
www.storm-paradize.us. A 141.105.64.37
dns1.storm-paradize.us. A 141.105.64.37
dns2.storm-paradize.us. A 141.105.64.37
storm-paradize.biz. A 141.105.64.37
ns1.storm-paradize.biz. A 141.105.64.37
ns2.storm-paradize.biz. A 141.105.64.37
sea.twimg.com. A 141.105.64.37
sea2.twimg.com. A 141.105.64.37
nytimes.com. A 141.105.64.37
sea.nytimes.com. A 141.105.64.37
sea4.nytimes.com. A 141.105.64.37
sharethis.com. A 141.105.64.37
w.sharethis.com. A 141.105.64.37
qatar-leaks.com. A 141.105.64.37
www.qatar-leaks.com. A 141.105.64.37
perfectpsyche.com. A 141.105.64.37
storm-paradize.com. A 141.105.64.37
www.storm-paradize.com. A 141.105.64.37
syrianelectronicarmy.com. A 141.105.64.37
ns1.syrianelectronicarmy.com. A 141.105.64.37
ns2.syrianelectronicarmy.com. A 141.105.64.37
www.syrianelectronicarmy.com. A 141.105.64.37
leaks.syrianelectronicarmy.com. A 141.105.64.37
zonemu.net. A 141.105.64.37
landesmusic.net. A 141.105.64.37
storm-paradize.net. A 141.105.64.37
storm-paradize.org. A 141.105.64.37
www.storm-paradize.org. A 141.105.64.37
ideal-dimension.org. A 141.105.64.37
www.ideal-dimension.org. A 141.105.64.37
dim-mag.ideal-dimension.org. A 141.105.64.37

We can find the domain nytimes.com in the list as well as some Twitter domains such as twimg.com. As we can see in the whois data for twimg.com:

Domain Name………. twimg.com
Creation Date…….. 2008-09-23
Registration Date…. 2010-07-04
Expiry Date………. 2014-09-23
Organisation Name…. Twitter, Inc.
Organisation Address. 1355 Market Street
Organisation Address. Suite 900
Organisation Address.
Organisation Address. San Francisco
Organisation Address. 94103
Organisation Address. CA
Organisation Address. UNITED STATES

Admin Name……….. SEA SEA
Admin Address…….. SEA
Admin Address…….. Suite 900
Admin Address……..
Admin Address. San Francisco
Admin Address…….. 94103
Admin Address…….. CA
Admin Address…….. UNITED STATES
Admin Email………. sea@sea.sy
Admin Phone………. +1.4152229670
Admin Fax………… +1.4152220922

Tech Name………… SEA SEA
Tech Address……… 1355 Market Street
Tech Address……… Suite 900
Tech Address………
Tech Address……… San Francisco
Tech Address……… 94103
Tech Address……… CA
Tech Address……… UNITED STATES
Tech Email……….. sea@sea.sy
Tech Phone……….. +1.4152229670
Tech Fax…………. +1.4152220922
Name Server………. ns27.boxsecured.com
Name Server………. ns28.boxsecured.com

It is very likely that the registrant for those domains has been compromised since the nytimes.com domain is also showing the following:

Domain Name………. nytimes.com
Creation Date…….. 1994-01-18
Registration Date…. 2011-08-31
Expiry Date………. 2014-01-20
Organisation Name…. SEA
Organisation Address. 620 8th Avenue
Organisation Address.
Organisation Address.
Organisation Address. New York
Organisation Address. 10018
Organisation Address. NY
Organisation Address. UNITED STATES

Admin Name……….. SEA SEA
Admin Address…….. SEA
Admin Address…….. 620 8th Avenue
Admin Address……..
Admin Address. Syria
Admin Address…….. 10018
Admin Address…….. SY
Admin Address…….. SYRIAN ARAB REPUBLIC
Admin Email………. sea@sea.sy
Admin Phone………. +1.2125561234
Admin Fax…………

Tech Name………… NEW YORK TIMES DIGITAL
Tech Address……… 229 West 43d Street
Tech Address………
Tech Address………
Tech Address……… New York
Tech Address……… 10036
Tech Address……… NY
Tech Address……… UNITED STATES
Tech Email……….. hostmaster@NYTIMES.COM
Tech Phone……….. +1.2125561234
Tech Fax…………. +1.1231231234
Name Server………. ns27.boxsecured.com
Name Server………. ns28.boxsecured.com

We will keep you up to date once we discover more information about how the Syrian Electronic Army took over the domain names.

Stay safe!

Update:

It seems other domains such as huffingtonpost.co.uk and twitter.co.uk. were also affected:

Rdata results for ANY/ns1.syrianelectronicarmy.com.

Returned 6 RRs in 0.02 seconds.

sea.sy. NS ns1.syrianelectronicarmy.com.
twitter.co.uk. NS ns1.syrianelectronicarmy.com.
huffingtonpost.co.uk. NS ns1.syrianelectronicarmy.com.
twimg.com. NS ns1.syrianelectronicarmy.com.
nytimes.com. NS ns1.syrianelectronicarmy.com.
sharethis.com. NS ns1.syrianelectronicarmy.com.