The Iranian Cyber Army (ICA), a group known for attacks on Twitter as well as Baidu, replaced the landing page for Voice of America (VOA) on Monday with a message of their own. In addition, they claim to have hit more than 90 other websites in the same attack.
“Mrs. Clinton Do you want to hear the voice of the oppressed nations will from heart of USA? Islamic world doesn’t believe USA trickery. We call on you to stop interfering in Islamic countries,” reads the message left by the ICA.
Voice of America is the official news service of the United States Government. Of the 94 domains listed by the ICA, a majority of them are VOA related.
The ICA made headlines in 2009 when they compromised the email account owned by a Twitter staff member and used that access to redirect Twitter’s DNS services. At the time, it was assumed that a server compromise was the cause.
After conversations with several sources, The Tech Herald was able to put things together and correctly report that it was DNS and not a server breach, which caused the micro-blogging shakeup. [Original report]
Soon after the Twitter attack, the ICA struck again by targeting Baidu, China's largest search portal. For this attack, they altered DNS services as well, which led Baidu to file a lawsuit against Register.com. [Original report] [Follow-up report]
In each of the previous defacements, the ICA’s actions were political. There have been rumors that the ICA is connected to the Iranian government. At the same time, rumors also call them Russian hackers.
As quickly as the ICA made the news and made themselves known, they went idle with no explanation. It’s possible that as things heat up in Iran and in North Africa, this incident marks their return.
So what happened this time? The short answer is that no one knows yet.
Many of the domains listed by the ICA as hacked share a common thread, Network Solutions. However, voanews.com, the master domain, does not appear to use Network Solutions at all.
At the same time, voanews.net, voanews.org, voanews.info, voahp.com, voanews.us, as well as many others, resolve to a Network Solutions holding page or point to the ICA message on voanews.com. In addition, they use DNS hosting from WorldNIC, a Network Solutions company.
It is possible that the Network Solutions account was compromised, and then with that access, voanews.com was defaced thanks to a shared password. However, most of the domains pointed to the main URL before the defacement. So this could be a case where single compromise covered 93 additional domains simply due to the nature of their hosting.
We’ve reached out to Network Solutions, as well as the Broadcasting Board of Governors, the organization that manages Voice of America, for comment on the incident.
Shashi Bellamkonda, the Director of Social Media Network Solutions, sent over the following statement:
"All sites should be restored at this time. There was no compromise or data loss on either side and we are working with the customer to provide any further help if needed. To be clear there was no hack or breach of Network Solutions' systems or services."
"As soon as we were notified by the customer of the defacement, we assisted the customer in restoring the DNS back to the original servers. Additionally, this customer's other domains on WorldNIC's DNS are being forwarded to voanews.com. Please understand, in order to avoid educating bad actors, we will not be providing any further details regarding how the DNS was changed."