Twitter (not) hacked by Iranian Cyber Army

UPDATE: I was asked to talk to Channel 4 news in the UK about this incident this evening and they have been good enough to share the full content of my interview and a subsequent interview on the same subject with Tim Stevens from King’s College London.

Original post:
Banner from hacked site

Banner from hacked site


At about 6am GMT Twitter fell victim to a DNS hijacking attack by a group calling itself the “Iranian Cyber Army” (I wonder if they noticed the CIA irony)? The site was affected for the best part of an hour.

Full hacked page

Full hacked page


The initial attack has left many users confused and widespread belief that the Twitter servers themselves were compromised. This does not appear to have been the case. The latest update on the Twitter blog says

As we tweeted a bit ago, Twitter’s DNS records were temporarily compromised tonight but have now been fixed. As some noticed, was redirected for a while but API and platform applications were working. We will update with more information and details once we’ve investigated more fully.”


This kind of DNS hijacking usually involves compromising the registrar responsible for the DNS records of the victim company, the attackers then make unauthorised changes to the DNS records. These changes mean that when you or I type a web site address into our browsers, we are directed not to the real web site but to a second site, set up by the hackers, in this case the “Iranian Cyber Army”. This has the net effect of making it look like, in this example, servers belonging to Twitter were compromised when in reality that was not the case.


These sorts of attacks are usually limited to hacktivism activities like this one today, but imagine the potential to criminals if they could pull this off against any site requiring log in credentials, such as PayPal, eBay, MSN, Facebook. One has to wonder how quickly the attack would be noted if the dummy site was an exact replica of the victim and was simply there to harvest credentials and redirect the user then into the real site. This attack is called Pharming and currently mostly happens as a result of local malware modifying individual PCs, not through the compromise of global DNS records, but the potential is demonstrably there. Companies should be monitoring their DNS resolution on several servers to become aware as early as possible when this kind of attack takes place.


Twitter was not the only web site affected by thsi compromise, a quick search revealed one other site displaying the same content.

Google search result

Google search result


When it comes to attacking high profile targets it can often be that the registrar is the chink in the security armour. In fact Zone-H, the defacement archive, has previously noted that registrars have been “one of the main aims of the past months“.


If attacks like this can be said to serve any purpose at all, then perhaps they can serve as a reminder that we all need to absolutely ensure that our business partners meet our own high security standards, and that stands in both the on and offline worlds.

14 thoughts on “Twitter (not) hacked by Iranian Cyber Army

  1. Pingback: Twitter Falls Victim To DNS Redirect

  2. Pingback: Iranian “Cyber Army” Strikes at China’s Search Engine Giant, Chinese Hackers Retaliate - VirusDB.INFO

  3. Pingback: Anti-Virus & Anti-Malware website. » Iranian “Cyber Army” Strikes at China’s Search Engine Giant, Chinese Hackers Retaliate

  4. Pingback: Iranian Cyber Army Strikes at China’s Search Engine Giant, Chinese Hackers Retaliate | Malware Blog | Trend Micro

  5. Pingback: Twitter hacked | web hosting india, web hosting in india, web hosting company india, india web hosting

  6. Pingback: دنیای زیبای وب » Blog Archive » بیشتر بدانیم: توییتر هک نشد!

  7. Pingback: Twitter’s DNS Hacked! (Washington Post)- DNS Monthly

  8. Pingback: Ataque del Ciber Ejército Iraní a Twitter | Soxial Media

  9. Pingback: Twitter Hacked, Defaced By “Iranian Cyber Army” | Colorado Springs SEO

  10. Pingback: Twitter Hacked, Defaced By “Iranian Cyber Army” | Denver SEO & Phoenix SEO Company

  11. Pingback: How Twitter was Hacked

  12. Frederick Felman

    It is likely that Twitter’s registrar was hacked. Important to note is that there is protection available from certain registrars including MarkMonitor that mitigates this form of redirection and defacement.

    Using “super-locking” eliminates the ability of hackers to use automated methods to change DNS records.

  13. Pingback: Angels of security » Blog Archive » Twitter’s DNS servers hacked

  14. Pingback: Twitter Hacked, Defaced By "Iranian Cyber Army" - Donna's SecurityFlash

Leave a Reply

Your email address will not be published. Required fields are marked *


This site uses Akismet to reduce spam. Learn how your comment data is processed.