Attacks/Breaches
7/30/2013
12:45 PM
Connect Directly
RSS
E-Mail
50%
50%
Repost This

Syrian Electronic Army Hacks White House Media Team

Hackers fail to take over White House website, and then got their Twitter accounts suspended for boasting about subsequent Thomson Reuters takeover.

The Syrian Electronic Army: 9 Things We Know
(click image for larger view)
The Syrian Electronic Army: 9 Things We Know
Three White House social media staffers had their personal Gmail accounts compromised by members of the Syrian Electronic Army (SEA).

The accounts were compromised via a phishing attack that used emails disguised as legitimate communications from the BBC and CNN, reported Nextgov. Instead, the emails included links to fake -- but real-looking -- Google and Twitter pages, which requested that the recipients enter their log-in details. The attackers then used the stolen credentials to launch phishing attacks on other White House staffers, as recently as Sunday night.

According to one security expert, finding the names and contact details for staffers in charge of social media operations at the White House would have been a relatively simple endeavor. "I imagine that the names and email addresses of people at the White House in digital media or anything related to media are easy to find since their job involves public access," Jeffrey Carr, a cyberwarfare specialist at consultancy Taia Global, told Nextgov. "A list of targets would be created from open sources and that's who the phishing email would be delivered to."

[ Want more on well-known hacking groups? Read Anonymous: 10 Things We Have Learned In 2013. ]

The SEA told E Hacking News that the Gmail phishing attack was meant to be a stepping stone to taking over the public-facing White House website. But the hacking group, which backs Syrian president Bashar al-Assad, failed in that bid.

Instead, it released -- no longer working -- passwords for the official White House Twitter feed, as well as a username and password for the White House Hootsuite account. "You were lucky this time," read a tweet from the SEA.

But the hackers claimed success Monday after taking over the Twitter feed for Thomson Reuters and posting multiple fake tweets, including links to pro-Assad cartoons, some of a violent nature, which were later reproduced by BuzzFeed. After the takeover was discovered, the account remained suspended until early Tuesday.

A Thomson Reuters spokesman confirmed the breach to The Wall Street Journal. "Earlier today @thomsonreuters was hacked," he said in a statement emailed late Monday. "In this time, unauthorized individuals have posted fabricated tweets of which Thomson Reuters is not the source. The account has been suspended and is currently under investigation." But the spokesman declined to address how the business had been hacked, or whether it was using Twitter's two-factor authentication feature.

The SEA previously invoked the White House after taking over an account run by The Associated Press. The group then issued this fake tweet: "Breaking: Two Explosions in the White House and Barack Obama is injured." That takeover, which caused a short-term stock market selloff, lead to increased demands on Twitter to introduce a two-factor authentication system, which it released about a month later, albeit to mixed reviews.

Meanwhile, the SEA boasted Tuesday on its website that its 12th Twitter account had been suspended, following the account having been used to detail the group's takeover of Thomson Reuters. The accounts of multiple group members, including "The3Pr0," were also suspended.

From a new account, The3Pr0 issued a warning against further takedowns: "Dear @Twitter, If you suspend the #SEA account again, you will see the [most] massive Twitter accounts hacks you ever see!"

The White House phishing attack aside, the SEA typically targets news organizations it sees as promoting a negative view of the current Syrian regime. The group's takeover victims have included Twitter accounts run by a number of news organizations, including not just the AP but also NPR, CBS News, the BBC and satire site The Onion.

Syrian president Assad made his own social media news last week for extending his propaganda efforts to Instagram, where a new account has been set up to promote his presidency. The photo-sharing platform showed him visiting sick people in the hospital and wiping tears from children's faces.

The Syrian civil war, which began more than two years ago, has so far claimed an estimated 93,000 lives.

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2012-0360
Published: 2014-04-23
Memory leak in Cisco IOS before 15.1(1)SY, when IKEv2 debugging is enabled, allows remote attackers to cause a denial of service (memory consumption) via crafted packets, aka Bug ID CSCtn22376.

CVE-2012-1317
Published: 2014-04-23
The multicast implementation in Cisco IOS before 15.1(1)SY allows remote attackers to cause a denial of service (Route Processor crash) by sending packets at a high rate, aka Bug ID CSCts37717.

CVE-2012-1366
Published: 2014-04-23
Cisco IOS before 15.1(1)SY on ASR 1000 devices, when Multicast Listener Discovery (MLD) tracking is enabled for IPv6, allows remote attackers to cause a denial of service (device reload) via crafted MLD packets, aka Bug ID CSCtz28544.

CVE-2012-3062
Published: 2014-04-23
Cisco IOS before 15.1(1)SY, when Multicast Listener Discovery (MLD) snooping is enabled, allows remote attackers to cause a denial of service (CPU consumption or device crash) via MLD packets on a network that contains many IPv6 hosts, aka Bug ID CSCtr88193.

CVE-2012-3918
Published: 2014-04-23
Cisco IOS before 15.3(1)T on Cisco 2900 devices, when a VWIC2-2MFT-T1/E1 card is configured for TDM/HDLC mode, allows remote attackers to cause a denial of service (serial-interface outage) via certain Frame Relay traffic, aka Bug ID CSCub13317.

Best of the Web