Attacks/Breaches
7/30/2013
12:45 PM
50%
50%

Syrian Electronic Army Hacks White House Media Team

Hackers fail to take over White House website, and then got their Twitter accounts suspended for boasting about subsequent Thomson Reuters takeover.

The Syrian Electronic Army: 9 Things We Know
(click image for larger view)
The Syrian Electronic Army: 9 Things We Know
Three White House social media staffers had their personal Gmail accounts compromised by members of the Syrian Electronic Army (SEA).

The accounts were compromised via a phishing attack that used emails disguised as legitimate communications from the BBC and CNN, reported Nextgov. Instead, the emails included links to fake -- but real-looking -- Google and Twitter pages, which requested that the recipients enter their log-in details. The attackers then used the stolen credentials to launch phishing attacks on other White House staffers, as recently as Sunday night.

According to one security expert, finding the names and contact details for staffers in charge of social media operations at the White House would have been a relatively simple endeavor. "I imagine that the names and email addresses of people at the White House in digital media or anything related to media are easy to find since their job involves public access," Jeffrey Carr, a cyberwarfare specialist at consultancy Taia Global, told Nextgov. "A list of targets would be created from open sources and that's who the phishing email would be delivered to."

[ Want more on well-known hacking groups? Read Anonymous: 10 Things We Have Learned In 2013. ]

The SEA told E Hacking News that the Gmail phishing attack was meant to be a stepping stone to taking over the public-facing White House website. But the hacking group, which backs Syrian president Bashar al-Assad, failed in that bid.

Instead, it released -- no longer working -- passwords for the official White House Twitter feed, as well as a username and password for the White House Hootsuite account. "You were lucky this time," read a tweet from the SEA.

But the hackers claimed success Monday after taking over the Twitter feed for Thomson Reuters and posting multiple fake tweets, including links to pro-Assad cartoons, some of a violent nature, which were later reproduced by BuzzFeed. After the takeover was discovered, the account remained suspended until early Tuesday.

A Thomson Reuters spokesman confirmed the breach to The Wall Street Journal. "Earlier today @thomsonreuters was hacked," he said in a statement emailed late Monday. "In this time, unauthorized individuals have posted fabricated tweets of which Thomson Reuters is not the source. The account has been suspended and is currently under investigation." But the spokesman declined to address how the business had been hacked, or whether it was using Twitter's two-factor authentication feature.

The SEA previously invoked the White House after taking over an account run by The Associated Press. The group then issued this fake tweet: "Breaking: Two Explosions in the White House and Barack Obama is injured." That takeover, which caused a short-term stock market selloff, lead to increased demands on Twitter to introduce a two-factor authentication system, which it released about a month later, albeit to mixed reviews.

Meanwhile, the SEA boasted Tuesday on its website that its 12th Twitter account had been suspended, following the account having been used to detail the group's takeover of Thomson Reuters. The accounts of multiple group members, including "The3Pr0," were also suspended.

From a new account, The3Pr0 issued a warning against further takedowns: "Dear @Twitter, If you suspend the #SEA account again, you will see the [most] massive Twitter accounts hacks you ever see!"

The White House phishing attack aside, the SEA typically targets news organizations it sees as promoting a negative view of the current Syrian regime. The group's takeover victims have included Twitter accounts run by a number of news organizations, including not just the AP but also NPR, CBS News, the BBC and satire site The Onion.

Syrian president Assad made his own social media news last week for extending his propaganda efforts to Instagram, where a new account has been set up to promote his presidency. The photo-sharing platform showed him visiting sick people in the hospital and wiping tears from children's faces.

The Syrian civil war, which began more than two years ago, has so far claimed an estimated 93,000 lives.

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading December Tech Digest
Experts weigh in on the pros and cons of end-user security training.
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-2037
Published: 2014-11-26
Openswan 2.6.40 allows remote attackers to cause a denial of service (NULL pointer dereference and IKE daemon restart) via IKEv2 packets that lack expected payloads. NOTE: this vulnerability exists because of an incomplete fix for CVE 2013-6466.

CVE-2014-6609
Published: 2014-11-26
The res_pjsip_pubsub module in Asterisk Open Source 12.x before 12.5.1 allows remote authenticated users to cause a denial of service (crash) via crafted headers in a SIP SUBSCRIBE request for an event package.

CVE-2014-6610
Published: 2014-11-26
Asterisk Open Source 11.x before 11.12.1 and 12.x before 12.5.1 and Certified Asterisk 11.6 before 11.6-cert6, when using the res_fax_spandsp module, allows remote authenticated users to cause a denial of service (crash) via an out of call message, which is not properly handled in the ReceiveFax dia...

CVE-2014-7141
Published: 2014-11-26
The pinger in Squid 3.x before 3.4.8 allows remote attackers to obtain sensitive information or cause a denial of service (out-of-bounds read and crash) via a crafted type in an (1) ICMP or (2) ICMP6 packet.

CVE-2014-7142
Published: 2014-11-26
The pinger in Squid 3.x before 3.4.8 allows remote attackers to obtain sensitive information or cause a denial of service (crash) via a crafted (1) ICMP or (2) ICMP6 packet size.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Now that the holiday season is about to begin both online and in stores, will this be yet another season of nonstop gifting to cybercriminals?