[Update: December 19]

HomyLafayette has analysed the Iranian Cyber Army hack. Read it: Twitter homepage hacked by ‘Iranian Cyber Army’.

The homepage of the microblogging service Twitter was briefly compromised by a pro-regime group or individual calling itself or himself the Iranian Cyber Army in the early hours (GMT) of Friday, December 18. Normal service was restored within an hour.

The same individual or group had hacked the homepage of the opposition news site Mowjeh Sabzeh Azadi two days ago as mentioned on this blog yesterday. The news site created alternate homepage URLs and continues to post news articles. As of this writing, Mowjeh Sabzeh Azadi’s usual homepage is still defaced.

Visitors to Twitter were greeted with a defaced homepage proclaiming, ‘This site has been hacked by Iranian Cyber Army,’ followed by a gmail address. The hacked page contained an image of a green flag and the following English text, which was not posted when Mowjeh Sabzeh Azadi was hacked:

‘U.S.A. Think They Controlling And Managing Internet By Their Access, But THey Don’t, We Control And Manage Internet By Our Power, So Do Not Try To Stimulation Iranian Peoples To….
Take Care.’

The green flag which adorned the center of the page bore Arabic text in red. Fox News incorrectly stated, ‘On the flag, in red Arabic writing: “Yassin” (an Arabic name written in bold) then in smaller Arabic print “the feast of peace.”‘

The red text on the green flag in fact reads, ‘O Hossein, peace be upon him,’ referring to Imam Hossein, a key figure in Islam and the 3rd Imam of Shiites. Today is the first day of the Islamic month of Moharram, second only to the month of Ramadan in holiness. The first ten days of Moharram, daheyeh Moharram, are a period of mourning culminating in Ashura, December 27, which is the commemoration of Hossein’s martyrdom in 680 AD. Mourners traditionally march through the streets, dressed in black and bearing green banners with Imam Hossein’s name written on them. The Iranian opposition has stated that it will again exploit these official events to stage anti-regime protests from December 18 to 27. The fact that the opposition’s color is green and the first name of the main opposition leader, Mir Hossein Mousavi, is also Hossein will allow protesters to mingle in official ceremonies more easily.

The light blue text over the flag is also in Arabic and means, ‘Then surely Hezbollah shall be triumphant.’ Hezbollah in this case does not necessarily refer to the Lebanese Hezbollah and is probably used in the more generic sense of ‘party of Allah,’ even though this Arabic text does appear at the top of the official yellow flag of the Lebanese Hezbollah (to the right).

Below the flag is an unfamiliar poem in Farsi:
If the Leader (NB Ali Khamenei) gives the order we will charge,
If he asks us, we will give our lives,
If he asks us to be patient and come to order,
We shall sit and burn [in silence] and compromise.

Tech Crunch was one of the first news sites to report the hack around 10 PM PST on Thursday. One of its readers sent a screen capture of a Google search for Twitter which produced the following result:

The text below the result returned for Twitter is also in Farsi and reads, ‘In the name of God, as an Iranian, in response to this service’s trouble-making interference at the request of the American authorities in my country’s affairs…’ The word God is the Farsi khoda and not the Arabic Allah. The text implies that the perpetrator is alone.

After the June 12 post-election unrest, the US State Department asked Twitter to postpone a scheduled maintenance shutdown in order to allow demonstrators to continue sending information out of Iran.

[12:35AM Tehran Time]

Twitter has posted the following in their blog:

DNS Disruption
As we tweeted a bit ago, Twitter’s DNS records were temporarily compromised tonight but have now been fixed. As some noticed, Twitter.com was redirected for a while but API and platform applications were working. We will update with more information and details once we’ve investigated more fully.

Looks like somehow the hackers managed to change the DNS (Domain Name Service) records for Twitter. This means that the Twitter application servers itself were NOT compromised; rather, the IP address record in the DNS server associated with the domain name, twitter.com likely was changed to point to the hacker’s page. It will be interesting to see what additional info Twitter provides. We will continue to monitor this story closely.

[11:10AM Tehran Time]

BREAKING NEWS: The Twitter social networking service was attacked by a group calling itself The Iranian Cyber Army. We are following the story closely and will report more shortly. TechCrunch reports that the following message was being displayed while Twitter was down:

Iranian Cyber Army


U.S.A. Think They Controlling And Managing Internet By Their Access, But THey Don’t, We Control And Manage Internet By Our Power, So Do Not Try To Stimulation Iranian Peoples To….

Take Care.

The website MowjCamp.org, an Iranian opposition website supporting the Green Movement for freedom and human rights in Iran was hacked earlier today and apparently a similar message was displayed.

The attack on Twitter is significant because since June 12, when Iran held a presidential election in which Ahmadinejad was declared the winner and that has since been heavily disputed, Twitter has been used by the opposition to disseminate information to and from Iran. It has also been used for coordinating protests against the regime. It is not clear at this time who the Iranian Cyber Army is — whether it is a rogue group of hackers that support the regime, or elements within the regime itself, or some other group.