Photo - Dr. Amirudin Abdul Wahab, CEO, CyberSecurity Malaysia
National cybersecurity specialist agency CyberSecurity Malaysia has confirmed that Malaysia Airlines [MAS] website was hacked Monday morning, 26 January 2015, in certain regions using a domain hijacking tactic.
Early media reports said that the Malaysia Airlines website's home page had been replaced by a photo of a MAS Airbus A380 with the words "404 - Plane Not Found," referring to the missing MH370 flight from March last year. Local media had published screenshots of the 'hacked' home page, which showed the names of groups such as "Cyber Caliphate, Lizard Squad, UGNazi, NATHAN NYE and HENRY BLAIR STRATER" along with Twitter accounts @umgrobert and @umg_chris as their contacts.
CyberSecurity Malaysia confirmed later that it received a report from Malaysia Airlines about an interruption to its website services on the same day.
Dr Amirudin Abdul Wahab, chief executive officer of CyberSecurity Malaysia, said that "upon investigation, we found [this] was a case of Domain Hijacking and CyberSecurity Malaysia is prepared to assist MAS in resolving the issue and preventing future occurrence, if needed."
Domain hijacking is a process by which Internet Domain Names are stolen from its legitimate owners and it is also known as domain theft, added the agency in a general statement. To hijack a domain name, the thief needs to gain access to the domain control panel and point the domain name to some other web server other than the original one. The hijack need not involve gaining access to MAS's target web server. Only the domain registrar name for the target domain and control of the 'admin' email address associated with the MAS's target domain is needed.
The statement included an advisory suggesting that "two ways to protect the domain name was to protect the administrative email account associated with the domain and also to go for private domain registration where personal details such as name, address and the administrative email address is hidden from the public."
In a statement, Malaysia Airlines said its "Domain Name System (DNS) has been compromised where users are re-directed to a hacker website" but added that its own servers and website have not been hacked and that customer bookings and data were unaffected.
One of the groups Lizard Squad countered Malaysia Airlines' statement with a threat to "soon dump some loot."
Security leaders comment
Sophos senior security advisor Chester Wisniewski agreed with CyberSecurity Malaysia's findings. “Malaysia Airlines was not attacked through DNS poisoning but through a DNS hijacking method. It appears that Malaysia Airlines' TTL (Time To Live), was set to 24 hours. This meant that any changes can take up to 24 hours to propagate, and this could prolong the outage.
“DNS hijacking has happened frequently over the last few years, such as high profile attacks by the Syrian Electronic Army on big name companies, prompting them to protect their DNS assets," said Wisniewski. The best way for companies to avoid this is to ensure there is domain locking enabled on their accounts and to use a DNS name provider who offers two-factor authentication to prevent unauthorised access to domain settings.”