28.1 C
Doha
Monday, April 19, 2021

UPDATED: Syrian Electronic Army takes down most major Qatar websites

-

Syrian Electronic Army hack

Updates at bottom of story

The infamous group of hackers that supports embattled Syrian President Bashar al-Assad has apparently taken control of Qatar’s .QA domain name and shut down numerous high-profile websites.

Starting at about 1.54am local time, the Syrian Electronic Army shared this message on Twitter:

Following that, they went about switching off government and private websites using the .QA extension, including Ministry of Interior, the Supreme Education Council, the Emiri Diwan, and even Google.com.qa:

Screenshot 2013-10-19 09.18.29

The domains are managed by Qatar’s Ministry of Information and Communication (ictQatar). Apparently, the Syrian Electronic Army gained access to ictQatar’s Domains.qa registrar and was able to shutdown everything from there.

Domains.qa

At 9:30am on Saturday, none of the websites they’ve listed have resumed functioning normally yet, although instead of showing the smiling face of Syria’s president, visitors to the sites now see a  “CPU Limit Reached” error.

Some .QA websites are working, though, including the Olympic Committee and the Meteorology Department.

Typically, companies are able to regain control of their websites a few hours after such attacks.

The Syrian Electronic Army has repeatedly targeted Qatar because of its support of rebels inside Syria and calls for President Al-Assad to resign.

In April of this year, they hacked FIFA’s Twitter accounts and used them to accuse Qatar of buying the 2022 World Cup. The month before, SEA hackers took over Qatar Foundation’s social media accounts and last year also hacked Al Jazeera.


Updates

Oct. 19  | 11:33am:

Websites are starting to come back online, but not all. The Ministry of Interior and Qatar Exchange are now working, as are Ooredoo, Vodafone, Ministry of Foreign Affairs and Al Jazeera Finance.

Others, including the Supreme Education Council, Google and Facebook’s local sites, and the government e-services site Hukoomi are still offline.


Oct. 19  | 12:10pm:

Google.com.qa is working again, too. Not everyone is able to access all of the sites though, as it can take time to get the updated Domain Name System (DNS) data onto all servers.


Oct. 19  | 3:29pm:

Most, if not all, of the websites that were taken down by the SEA appear to be back online now. Are there any websites you’re not able to access?


Have you been affected?

22 COMMENTS

Subscribe
Notify of
22 Comments
Oldest
Newest Most Voted
Inline Feedbacks
View all comments
ngourlay
ngourlay
7 years ago

When Q-CERT was being set up, OISSG held had a security conference at the Ritz-Carlton, where I had the pleasure of chatting with the people who were protecting Qatar’s internet security. I was not impressed.

The local side of the operation were non-specialists from the police and Qtel. Nice blokes, just not the right people. The Westerners were more interested in enabling Qatar’s obsession with porn-blocking than identifying threats. Much of the management’s time on the platform was spent discussing how Qatari children should be able to search for an image of a “falcon” without seeing results for the porn actress of the same name.

MIMH
MIMH
7 years ago
Reply to  ngourlay

The only way they can stop little Qataries access stuff their parents or the government deems unsuitable is to shut down access to the web totally. Most kids 5 and above can get around the pathetic blocking attempts employed here.

What they need to take more seriously is external attacks. Qatar wants to be a world player and that brings certain risks with it. Time to be prepared.

ngourlay
ngourlay
7 years ago
Reply to  MIMH

I did mention to them that they should just pay Google to block porn, rather than wasting their time building an ineffective system of their own. However, Google was seen as the problem, not the solution, and as I was gate-crashing the conference I didn’t want to annoy anyone before I’d had my free lunch, which was delicious.

Also, one other thing I thought was memorable. The majority of the police attached to internet crime were Pakistani, but had been told to wear thobes rather than their uniform to attend the conference. I don’t know why.

MIMH
MIMH
7 years ago
Reply to  ngourlay

Qatar does excell in excellent lunches so I appreciate your dilemma

fullmoon07
fullmoon07
7 years ago
Reply to  ngourlay

nobody tought them something called “parental control” that you can switch on your home PC….?

osamaalassiry
osamaalassiry
7 years ago
Reply to  fullmoon07

The kids know how to circumvent that…

Bert Da Expert
Bert Da Expert
7 years ago

DDoS protection coupled with better, deeper understanding of IT security threats and what to look out for might have gone a long way in preventing this. Looks like a basic Layer 7 compromise considering the admin panel seems to have been accessed using credentials. (either through emote access/trojan or simple social engineering techniques)

qatman
qatman
7 years ago
Reply to  Bert Da Expert

It seems the .qa Domain servers were compromised which has redirected the sites.

٩(͡๏̯͡๏)۶
٩(͡๏̯͡๏)۶
7 years ago
Reply to  Bert Da Expert

How is DDoS protection relevant to this story?

Bert Da Expert
Bert Da Expert
7 years ago

more often than not, those suites have intrusion protection and other countermeasures built in. as said above it looks like a phishing or social engineering effort. most on-premise DDoS suites can detect this activity.. not just for brute force ICMP or traffic attacks.

٩(͡๏̯͡๏)۶
٩(͡๏̯͡๏)۶
7 years ago
Reply to  Bert Da Expert

So you are assuming that there are no firewalls/application proxy gateways sat in front of the DNS servers? Seems extremely unlikely that.

In reality there is very little that on-premise devices can do against a true large-scale DDoS attack, application-proxy gateways, multiple UTMs with IPS utilising anomaly-based detection and session disruption do nothing but delay the inevitable, only the ISP is truly positioned to do anything about it and quite often they fail to succeed also. However this is off-topic as this incident has nothing to do with DDoS.

This compromise is likely the result of a zero day application attack or if legitimate credentials were captured a successful phishing exercise.

Bert Da Expert
Bert Da Expert
7 years ago

I doubt the admin panel is even in the same IT environment (looks off the shelf).. its WAN side not in their LAN. they should have had better access methods or closed IP access rules that could have only been changed from requests within their environment.

٩(͡๏̯͡๏)۶
٩(͡๏̯͡๏)۶
7 years ago
Reply to  Bert Da Expert

“should have had better access methods or closed IP access rules that
could have only been changed from requests within their environment” – a zero day attack on one of the PCs with that environment would have got around that, or simple IP spoofing or a man in the middle attack…

Where there is will there is a way.

Shadi Eideh
Shadi Eideh
7 years ago

millions spent over security consultants & auditors here yet this happens! Could’ve had a more sinister scenario if domain names were made to point to fake sites , loads of personal data can be harvested!

fullmoon07
fullmoon07
7 years ago
Reply to  Shadi Eideh

the problem, often, are auditors, pal of a pal, and the most inexperienced people brought on …

Lisa Clayton
Lisa Clayton
7 years ago

Qatar Airways website was having issues with bookings & then privilege club sign-in. I wonder if that was related. Anyone know?

Shane West
Shane West
7 years ago

@ngourlay:disqus I completely agree with you and I’ve had the opportunity to meet some of them as well.
The attack is more of a DNS redirection than hacking the site(s) itself. Anywho, its all a learning experience…

Tamir Omara
Tamir Omara
7 years ago

The attacks carried by the SEA aren’t that technically sophisticated, but they are rather organized, well planned and goal oriented. I think governmental entities should invest in training the weakest link in the security chain, us humans, rather than splashing millions around. Make sure your average “Hamad” is able to relatively differentiate between a genuine email and a phishing email. It doesn’t matter what defensive technology you’re using if your users are clicking about links in random emails and such.

qatman
qatman
7 years ago
Reply to  Tamir Omara

Very well said.

Stefan Lory
Stefan Lory
7 years ago

Congrats to Syrian Electronic Army. Good job. That was supporters of terrorists deserve, Long life President Al-Assad.

Ishfaq ur Rehman
Ishfaq ur Rehman
7 years ago

Qatar Central Tenders Committee website http://www.ctc.gov.qa is also not working.
Kindly check…

Omar Chatriwala
7 years ago

Seems to be working this evening

Related Articles

- Advertisment -

Most Read

Subscribe to Doha News below!

To be updated with all the latest news, offers and special announcements.