Updates at bottom of story
The infamous group of hackers that supports embattled Syrian President Bashar al-Assad has apparently taken control of Qatar’s .QA domain name and shut down numerous high-profile websites.
Starting at about 1.54am local time, the Syrian Electronic Army shared this message on Twitter:
Qatar is #down
— SyrianElectronicArmy (@Official_SEA16) October 18, 2013
Following that, they went about switching off government and private websites using the .QA extension, including Ministry of Interior, the Supreme Education Council, the Emiri Diwan, and even Google.com.qa:
The domains are managed by Qatar’s Ministry of Information and Communication (ictQatar). Apparently, the Syrian Electronic Army gained access to ictQatar’s Domains.qa registrar and was able to shutdown everything from there.
At 9:30am on Saturday, none of the websites they’ve listed have resumed functioning normally yet, although instead of showing the smiling face of Syria’s president, visitors to the sites now see a “CPU Limit Reached” error.
Some .QA websites are working, though, including the Olympic Committee and the Meteorology Department.
Typically, companies are able to regain control of their websites a few hours after such attacks.
The Syrian Electronic Army has repeatedly targeted Qatar because of its support of rebels inside Syria and calls for President Al-Assad to resign.
In April of this year, they hacked FIFA’s Twitter accounts and used them to accuse Qatar of buying the 2022 World Cup. The month before, SEA hackers took over Qatar Foundation’s social media accounts and last year also hacked Al Jazeera.
Updates
Oct. 19 | 11:33am:
Websites are starting to come back online, but not all. The Ministry of Interior and Qatar Exchange are now working, as are Ooredoo, Vodafone, Ministry of Foreign Affairs and Al Jazeera Finance.
Others, including the Supreme Education Council, Google and Facebook’s local sites, and the government e-services site Hukoomi are still offline.
Oct. 19 | 12:10pm:
Google.com.qa is working again, too. Not everyone is able to access all of the sites though, as it can take time to get the updated Domain Name System (DNS) data onto all servers.
Oct. 19 | 3:29pm:
Most, if not all, of the websites that were taken down by the SEA appear to be back online now. Are there any websites you’re not able to access?
Have you been affected?
When Q-CERT was being set up, OISSG held had a security conference at the Ritz-Carlton, where I had the pleasure of chatting with the people who were protecting Qatar’s internet security. I was not impressed.
The local side of the operation were non-specialists from the police and Qtel. Nice blokes, just not the right people. The Westerners were more interested in enabling Qatar’s obsession with porn-blocking than identifying threats. Much of the management’s time on the platform was spent discussing how Qatari children should be able to search for an image of a “falcon” without seeing results for the porn actress of the same name.
The only way they can stop little Qataries access stuff their parents or the government deems unsuitable is to shut down access to the web totally. Most kids 5 and above can get around the pathetic blocking attempts employed here.
What they need to take more seriously is external attacks. Qatar wants to be a world player and that brings certain risks with it. Time to be prepared.
I did mention to them that they should just pay Google to block porn, rather than wasting their time building an ineffective system of their own. However, Google was seen as the problem, not the solution, and as I was gate-crashing the conference I didn’t want to annoy anyone before I’d had my free lunch, which was delicious.
Also, one other thing I thought was memorable. The majority of the police attached to internet crime were Pakistani, but had been told to wear thobes rather than their uniform to attend the conference. I don’t know why.
Qatar does excell in excellent lunches so I appreciate your dilemma
nobody tought them something called “parental control” that you can switch on your home PC….?
The kids know how to circumvent that…
DDoS protection coupled with better, deeper understanding of IT security threats and what to look out for might have gone a long way in preventing this. Looks like a basic Layer 7 compromise considering the admin panel seems to have been accessed using credentials. (either through emote access/trojan or simple social engineering techniques)
It seems the .qa Domain servers were compromised which has redirected the sites.
How is DDoS protection relevant to this story?
more often than not, those suites have intrusion protection and other countermeasures built in. as said above it looks like a phishing or social engineering effort. most on-premise DDoS suites can detect this activity.. not just for brute force ICMP or traffic attacks.
So you are assuming that there are no firewalls/application proxy gateways sat in front of the DNS servers? Seems extremely unlikely that.
In reality there is very little that on-premise devices can do against a true large-scale DDoS attack, application-proxy gateways, multiple UTMs with IPS utilising anomaly-based detection and session disruption do nothing but delay the inevitable, only the ISP is truly positioned to do anything about it and quite often they fail to succeed also. However this is off-topic as this incident has nothing to do with DDoS.
This compromise is likely the result of a zero day application attack or if legitimate credentials were captured a successful phishing exercise.
I doubt the admin panel is even in the same IT environment (looks off the shelf).. its WAN side not in their LAN. they should have had better access methods or closed IP access rules that could have only been changed from requests within their environment.
“should have had better access methods or closed IP access rules that
could have only been changed from requests within their environment” – a zero day attack on one of the PCs with that environment would have got around that, or simple IP spoofing or a man in the middle attack…
Where there is will there is a way.
millions spent over security consultants & auditors here yet this happens! Could’ve had a more sinister scenario if domain names were made to point to fake sites , loads of personal data can be harvested!
the problem, often, are auditors, pal of a pal, and the most inexperienced people brought on …
Qatar Airways website was having issues with bookings & then privilege club sign-in. I wonder if that was related. Anyone know?
@ngourlay:disqus I completely agree with you and I’ve had the opportunity to meet some of them as well.
The attack is more of a DNS redirection than hacking the site(s) itself. Anywho, its all a learning experience…
The attacks carried by the SEA aren’t that technically sophisticated, but they are rather organized, well planned and goal oriented. I think governmental entities should invest in training the weakest link in the security chain, us humans, rather than splashing millions around. Make sure your average “Hamad” is able to relatively differentiate between a genuine email and a phishing email. It doesn’t matter what defensive technology you’re using if your users are clicking about links in random emails and such.
Very well said.
Congrats to Syrian Electronic Army. Good job. That was supporters of terrorists deserve, Long life President Al-Assad.
Qatar Central Tenders Committee website http://www.ctc.gov.qa is also not working.
Kindly check…
Seems to be working this evening