During this time, the website's usual content was replaced with an image of a lizard and the message “404 – Plane Not Found. Hacked by Lizard Squad – Official Cyber Caliphate”, while the browser tab read “ISIS WILL PREVAIL”. Lizard Squad is not believed to have any connections with the terrorist group, although the group was unavailable for comments at the time of writing.
The airline – which is still recovering from the disappearance of MH370 and the shooting down of MH317 – later confirmed in a Facebook page that the website had been restored, with no data stolen.
"Malaysia Airlines confirms that its Domain Name System (DNS) has been compromised where users are re-directed to a hacker website when www.malaysiaairlines.com URL is keyed in. At this stage, Malaysia Airlines' web servers are intact," the company wrote.
"The airline has resolved the issue with its service provider and the system is expected to be fully recovered within 22 hours. The matter has also been immediately reported to CyberSecurity Malaysia and the Ministry of Transport."
Lizard Squad – which has also it was behind the DDoS attacks against PlayStation Network and Xbox Live on Christmas Day, however, said that it did steal an unspecified amount of data, and would be making this information available to the public “soon”.
“This is a very brutal attack as it has a direct impact on the families that have recently been affected by the Malaysia Airlines disasters. If the hackers have in fact taken customer data then some very vulnerable people could potentially be the subject of future targeted email attacks. If any personal details customers have been taken then they could be targeted with phishing emails and spam about Malaysia Airlines, which they could be convinced into opening – especially if they are expecting to receive news regarding family and friends from the company.
We also don't know for definite that the attackers are who we think they are and this isn't just a case of trying to discredit Lizard Squad. There is a big difference between targeting a corporate company like Sony with a series of attacks, and launching an attack against a company which will have an impact on families who are in a waiting to hear news about the fate of their relatives.”
Tim Holman, president of the ISSA UK security professionals group and also CEO of QSA 2-sec, said in an email to SCMagazineUK.com that hackers had compromised a DNS server, and this should act an incentive for others to check this on a regular basis.
“In my eyes, that's still a compromise, as DNS is a vital component of any web presence, even if it's hosted elsewhere or by a third party. I think it's important to remember not just to focus on the web tier when it comes to assessing systems, but also to look at the critical infrastructure that underpins it.
“Companies should regularly review their DNS setups. Who hosts it? Who can change it? How do you recover quickly if someone does tamper with DNS records?”
“As a penetration testing firm, we get a deluge of requests to perform web application testing, and it's rare that any company is that concerned about the underpinning infrastructure. More often than not, their DNS records are hosted by servers that aren't even under their control.”
Trey Ford, global security strategist at Rapid7, added in an email to journalists:
"It's been a terrible year for Malaysia Airlines, and a bad month so far for travel websites. A quick review of the timeline seems to validate Malaysia Airlines' statement that the DNS was compromised. The airline's security response team would be able to piece together a timeline of events rather quickly; the investigation path on something like this is fairly straightforward, albeit reliant on third party participation from the Domain Registrar, a DNS provider, or others. I have no hesitation in believing the systems managed by the airline were not impacted or undermined in the course of this event.
“While embarrassing, this redirection is little more than a nuisance from an operational perspective. This strikes me as an attack of opportunity more than a focused compromise. Due to the simple “defacement page”, overt announcement of the compromise, and lack of additional malice - I believe this was more a press stunt or redirection on the part of the attackers claiming to be Lizard Squad."