Attacks/Breaches
7/30/2013
12:45 PM
Connect Directly
RSS
E-Mail
50%
50%

Syrian Electronic Army Hacks White House Media Team

Hackers fail to take over White House website, and then got their Twitter accounts suspended for boasting about subsequent Thomson Reuters takeover.

The Syrian Electronic Army: 9 Things We Know
(click image for larger view)
The Syrian Electronic Army: 9 Things We Know
Three White House social media staffers had their personal Gmail accounts compromised by members of the Syrian Electronic Army (SEA).

The accounts were compromised via a phishing attack that used emails disguised as legitimate communications from the BBC and CNN, reported Nextgov. Instead, the emails included links to fake -- but real-looking -- Google and Twitter pages, which requested that the recipients enter their log-in details. The attackers then used the stolen credentials to launch phishing attacks on other White House staffers, as recently as Sunday night.

According to one security expert, finding the names and contact details for staffers in charge of social media operations at the White House would have been a relatively simple endeavor. "I imagine that the names and email addresses of people at the White House in digital media or anything related to media are easy to find since their job involves public access," Jeffrey Carr, a cyberwarfare specialist at consultancy Taia Global, told Nextgov. "A list of targets would be created from open sources and that's who the phishing email would be delivered to."

[ Want more on well-known hacking groups? Read Anonymous: 10 Things We Have Learned In 2013. ]

The SEA told E Hacking News that the Gmail phishing attack was meant to be a stepping stone to taking over the public-facing White House website. But the hacking group, which backs Syrian president Bashar al-Assad, failed in that bid.

Instead, it released -- no longer working -- passwords for the official White House Twitter feed, as well as a username and password for the White House Hootsuite account. "You were lucky this time," read a tweet from the SEA.

But the hackers claimed success Monday after taking over the Twitter feed for Thomson Reuters and posting multiple fake tweets, including links to pro-Assad cartoons, some of a violent nature, which were later reproduced by BuzzFeed. After the takeover was discovered, the account remained suspended until early Tuesday.

A Thomson Reuters spokesman confirmed the breach to The Wall Street Journal. "Earlier today @thomsonreuters was hacked," he said in a statement emailed late Monday. "In this time, unauthorized individuals have posted fabricated tweets of which Thomson Reuters is not the source. The account has been suspended and is currently under investigation." But the spokesman declined to address how the business had been hacked, or whether it was using Twitter's two-factor authentication feature.

The SEA previously invoked the White House after taking over an account run by The Associated Press. The group then issued this fake tweet: "Breaking: Two Explosions in the White House and Barack Obama is injured." That takeover, which caused a short-term stock market selloff, lead to increased demands on Twitter to introduce a two-factor authentication system, which it released about a month later, albeit to mixed reviews.

Meanwhile, the SEA boasted Tuesday on its website that its 12th Twitter account had been suspended, following the account having been used to detail the group's takeover of Thomson Reuters. The accounts of multiple group members, including "The3Pr0," were also suspended.

From a new account, The3Pr0 issued a warning against further takedowns: "Dear @Twitter, If you suspend the #SEA account again, you will see the [most] massive Twitter accounts hacks you ever see!"

The White House phishing attack aside, the SEA typically targets news organizations it sees as promoting a negative view of the current Syrian regime. The group's takeover victims have included Twitter accounts run by a number of news organizations, including not just the AP but also NPR, CBS News, the BBC and satire site The Onion.

Syrian president Assad made his own social media news last week for extending his propaganda efforts to Instagram, where a new account has been set up to promote his presidency. The photo-sharing platform showed him visiting sick people in the hospital and wiping tears from children's faces.

The Syrian civil war, which began more than two years ago, has so far claimed an estimated 93,000 lives.

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-3352
Published: 2014-08-30
Cisco Intelligent Automation for Cloud (aka Cisco Cloud Portal) 2008.3_SP9 and earlier does not properly consider whether a session is a problematic NULL session, which allows remote attackers to obtain sensitive information via crafted packets, related to an "iFrame vulnerability," aka Bug ID CSCuh...

CVE-2014-3908
Published: 2014-08-30
The Amazon.com Kindle application before 4.5.0 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.

CVE-2010-5110
Published: 2014-08-29
DCTStream.cc in Poppler before 0.13.3 allows remote attackers to cause a denial of service (crash) via a crafted PDF file.

CVE-2012-1503
Published: 2014-08-29
Cross-site scripting (XSS) vulnerability in Six Apart (formerly Six Apart KK) Movable Type (MT) Pro 5.13 allows remote attackers to inject arbitrary web script or HTML via the comment section.

CVE-2013-5467
Published: 2014-08-29
Monitoring Agent for UNIX Logs 6.2.0 through FP03, 6.2.1 through FP04, 6.2.2 through FP09, and 6.2.3 through FP04 and Monitoring Server (ms) and Shared Libraries (ax) 6.2.0 through FP03, 6.2.1 through FP04, 6.2.2 through FP08, 6.2.3 through FP01, and 6.3.0 through FP01 in IBM Tivoli Monitoring (ITM)...

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
This episode of Dark Reading Radio looks at infosec security from the big enterprise POV with interviews featuring Ron Plesco, Cyber Investigations, Intelligence & Analytics at KPMG; and Chris Inglis & Chris Bell of Securonix.