The attack that took China's biggest search site offline yesterday was most likely carried out by modifying Baidu's records at Register.com, the search engine's official domain registrar, a security researcher said.
Baidu.com was unavailable part of Monday, but early in the outage the site displayed a message that read: "This site has been hacked by Iranian Cyber Army," according to a report on the People's Daily, the website of the Chinese Communist Party's official newspaper.
The group was the same that had taken responsibility for an attack against Twitter.com last month that redirected the micro-blogging service's traffic to a domain that hosted the same message.
"It looks like Baidu.com's DNS was changed at the registrar level," said Jeremy Rossi, a partner in Praetorian Security Group, a security consultancy. Praetorian's partners, including Rossi and Daniel Kennedy, published an analysis yesterday of the Baidu.com attack on their company blog.
Rossi said that it was impossible to know for certain whether the Chinese search site's DNS information had actually been changed at Register.com, the registrar of record, but that that was the most likely explanation.
Register.com did not respond to a request for comment.
"The interesting thing is that although Register.com doesn't control the .com servers, they do control the technical login to Baidu's [DNS] servers," said Rossi.
His bet is that the hackers who use the "Iranian Cyber Army" moniker managed to obtain a username and password that allowed them to access Register.com's records for Baidu, perhaps by successfully phishing an employee of the US domain registrar, or one of Baidu's workers. "That's the most common vector for something like this," said Rossi. "It's easier to pull off [than directly hacking DNS]."
The same method was behind the December 2009 Twitter attack, according to the company that manages Twitter's DNS (Domain Name System) servers. The company claimed that an authorised Twitter account was used to switch the service's DNS records.
Rossi's assumption was that once armed with a username and password to Baidu.com's account at Register.com, the hackers modified the DNS records to point to their own, which in turn directed users of the search engine to various systems that hosted the Iranian Cyber Army message.
DNS records act like a telephone directory for the Internet, matching domain names, such as baidu.com, with the IP addresses used by that domain's servers.
Attacks based on modifying DNS records may seem to be on the uptick, but they're not, said Rossi. "This has been going on as long as we've had DNS, but now they're moving up the chain to larger companies, and so they're more prominent," he said.
But web-based firms should take a lesson from the likes of Twitter and Baidu, Rossi said. He urged companies to demand access control that relied on more than just a username and password. "Baidu's entire business is based on their DNS being always right," he said. "Two-factor authentication isn't perfect, but it sets the bar [for attackers] that much higher," he said.