New York Times hacked, Syrian Electronic Army suspected

closeup of computer keys

The New York Times website,, was hacked Tuesday, the site down for a second time in two weeks, with a group known as the Syrian Electronic Army believed to be behind Tuesday's hack, as well as an attack on short-messaging blog Twitter.

The attack on one of the nation's major media organizations comes as the United States weighs how and where to penalize Syrian President Bashar al-Assad and his military for using poison gas on his countrymen.

Mark Frons, chief information officer of The New York Times, issued a statement saying the disruption "was the result of a malicious external attack by the Syrian Electronic Army or someone trying very hard to be them." 

The Syrian Electronic Army, an online group that supports al-Assad, took responsibility for the attack. Officials told NBC News that the FBI is "aware of the hack and is looking into it."

The group may have used "spearphishing" to help it gain access to the Times' website. The approach, part social engineering, part hacker know-how, can involve tricking a targeted individual to open an attachment in an email, for example, an attachment that could unleash malicious code or carry out another nefarious action.

Frons advised employees to "be careful when sending email communications until the situation is resolved."

Meanwhile, at about 7:35 p.m. ET, on Twitter, the Times offered readers an alternate website where readers could find Times news stories until its regular site is back up.

NBC News terrorism analyst Roger Cressey said that journalism websites are notoriously vulnerable, but "it is very interesting that this is timed for a period when the U.S. is considering a military attack on Syria."

Matt Johansen, head of the Threat Research Center at WhiteHat Security, said on Twitter that the New York Times website attack did link to the Syrian Electronic Army, that the website's domain name server was "pointing to an SEA name server." 

The group also claimed credit for an attack on the Huffington Post UK's site, and for hacking into Twitter's registry account and changing information there. The short messaging blog has about 200 million users worldwide, with 70 percent of user accounts based outside the United States. Twitter's corporate offices are in San Francisco.

In a statement issued at about 7 p.m. ET, Twitter said it appears that for nearly two hours, records "for various organizations were modified, including one of Twitter's domains used for image serving,"

"Viewing of images and photos was sporadically impacted," and "the original domain record for was restored. No Twitter user information was affected by this incident."

Meanwhile, the SEA posted this on Twitter earlier to brag about its exploit:

The Times had similar website problems Aug. 14, but they were resolved relatively quickly, and problems were believed to be tied to an internal issue. On Tuesday, after the site had been inaccessible for about 90 minutes, the Times tweeted:

After its tweet about the site being down, the Times went on to say this, giving readers another website where to read its latest story about Syria:

The Syrian Electronic Army has made it a point and a pattern this year to attack U.S. media outlets, as well as those in Britain, mainly by taking over those organizations' Twitter accounts for a brief time, as well as the kind of website attack experienced by the Times Tuesday.

On Aug. 15, the Washington Post's website was hacked for about 30 minutes, with some readers redirected to the website of the Syrian Electronic Army. The SEA also took credit for hacking the Twitter account of news organization Thomson Reuters in late July, as well as the Twitter feeds of the U.K.'s Guardian newspaper, Daily Telegraph, Financial Times and ITV, Britain's largest free-to-air commercial broadcaster and an NBC News partner.

Last April, the SEA took control of the Associated Press' official Twitter feed, and sending out a false message about two explosions at the White House and injury to the president.

The fake tweet was quickly exposed, but not before it caused a sudden 140-point drop in the Dow Industrial Average.

The group moved from defacing websites to more aggressive activities this year, Helmi Noman, Senior Researcher with Citizen Lab, University of Toronto, told NBC News last spring. And in a 2011 paper Noman, who has tracked the SEA for years, wrote that, "Although we have no concrete evidence linking the SEA to the Syrian regime ... the fact that the group is able to operate with impunity over Syrian networks, shows at least tacit support for their activities."

Update, 5:30 p.m. ET Aug. 28: The New York Times said the group behind the attack went after the TImes' domain name registrar, Melbourne IT, in Australia.

"The Web site first went down after 3 p.m.; once service was restored, the hackers quickly disrupted the site again," the newspaper reported. "Shortly after 6 p.m., Mr. Frons said that 'we believe that we are on the road to fixing the problem.' " There are some reports Wednesday that some users are still having difficulty accessing the site.

MelbourneIT has tracked the breach to an Indian Internet service provider, Reuters reported, "saying two staff members from one of their resellers opened a fake email seeking login details." The attack was quite "sophisticated," Melbourne IT CEO Theo Hnarakis told the news agency.

Dave Jevans, founder and chief technology officer of Marble Security, a cloud-based mobile security service, told NBC News Wednesday that almost all recent similar kinds of attacks have started with spearphishing emails "to one or a handful of employees inside a company or its IT suppliers.

"These emails often claim to be from the employee's IT department, or from internal human resources," he said. "These emails look so authentic, that employees often fall for them. In this case, instead of directly attacking the employees or website of, the attackers sent an email to their domain name registrar, Melbourne IT. A domain name registrar is the company where you register your Web domain name, and specify the Internet numeric address of which server in the world to send users of your website to. The attackers went in and changed that to point to their own server."

Jevans said companies that are Domain Name System registrars, or providers, "should be using so-called 'two factor authentication' for employees, and should offer it to their customers."

The two-factor system "requires a username, password and also a text message that is sent to the user's mobile phone," he said. "That way, even if an employee falls for a spearphishing email, and gives his or her password to an attacker, they won't be able to take over the account unless they have also physically stolen the employee's mobile phone. Companies like banks, Twitter and Google use this to keep attackers out. DNS providers should too."

MelbourneIT told Reuters it has restored the correct domain name settings, changed the password on the compromised account, and locked the records to prevent further alterations.

Robert Windrem and Richard Esposito of NBC News contributed to this report.