08:58 AM

Syrian Hacktivists Hit Guardian Twitter Feeds

Pro-Assad hacktivist group takes over 11 Twitter feeds belonging to British news group, decries "lies and slander about Syria."

Anonymous: 10 Things We Have Learned In 2013
Anonymous: 10 Things We Have Learned In 2013
(click image for larger view and for slideshow)
The Syrian Electronic Army (SEA) announced Sunday that it took over 11 Twitter feeds belonging to Britain's Guardian newspaper, including its book, film, photography and travel feeds, as well as multiple journalists' accounts. It also posted passwords -- composed of 15 randomized characters -- it claimed were for four of the compromised accounts.

By Monday, many of the accounts were suspended by Twitter, although SEA appeared to still be compromising additional accounts, including the Guardian's business feed. "Follow the Syrian Electronic Army ... Follow the truth!" read a message posted to some compromised Twitter accounts.

"We are aware that a number of Guardian Twitter accounts have been compromised and we are working actively to resolve this," said a Guardian News & Media spokeswoman via email. She declined to comment on how the accounts had been compromised.

[ Worried about your Twitter account getting hacked? Read Twitter Trouble: 9 Social Media Security Tips. ]

The SEA said the disruptions were made to protest the newspaper's "lies and slander about Syria," according to a statement posted to the group's website. Some accounts also had their profiles changed to display a graphic of an eagle bearing the flag of the Syrian Arab Republic, which is used by parties loyal to the current Syrian regime, which is led by President Bashar al-Assad and the Ba'ath Party.

A two-year civil war in Syria has claimed an estimated 70,000 lives to date. The White House in recent days said that U.S. intelligence reports have suggested that the nerve agent sarin may have been used on a "small scale" by Assad supporters against their opponents, reported the Guardian.

The SEA has previously attacked news organizations -- including the BBC and Qatari-backed al-Jazeera TV -- over coverage that the group deemed to be unfavorable to the current Assad regime. Tuesday, notably, the SEA posted a hoax tweet via an Associated Press Twitter feed saying that President Obama had been injured in explosions at the White House. The tweet has been blamed for triggering a temporary downturn in the stock market.

The AP has yet to confirm how its Twitter accounts were compromised, although some news reports said that an SEA-conducted phishing campaign was responsible. Security experts, however, have said that the group has employed a variety of account-takeover tactics. "In many cases, the SEA carries out their attacks in a manner that is difficult to detect," said Ted Ross, the executive technologist at HP Security's Office of Advanced Technology, in a recent blog post rounding up what's known about the Syrian Electronic Army.

The group's tactics also continue to evolve. "The SEA has kind of shifted from actively defacing websites they perceive hostile to the Syrian regime to mostly compromising Twitter accounts of media organizations," Helmi Noman, a senior researcher at Toronto University's Citizen Lab, told NBC News.

The AP account compromise lead to reports that Twitter is now testing a two-factor authentication system internally, which it plans to roll out at an unspecified date. But security experts have warned that such a system still wouldn't protect Twitter users from having their accounts compromised via malware or phishing attacks.

The SEA has recently been engaging in a cat-and-mouse game with Twitter, which has been suspending the group's own accounts -- recently named "@Official_SEA" followed by a number -- almost as quickly as they've been used to boast of compromised targets.

That level of account churn has left the Syrian Electronic Army vulnerable to its opponents. "The Syrian Electronic Army use to be Pro-Assad, since he used chemical weapons against our brothers and sisters, no more, Assad is a Ass!" read a Saturday tweet from the @Official_SEA7 account Saturday. "OK so you need to unfollow @SEA_Official8 and @SEA_Official7, the correct one is @Official_SEA7."

But a message posted Monday to @Official_SEA12 -- an account registered late Sunday and cross-referenced from the SEA's own website -- said that @Official_SEA7 was "a fake account."

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Current Issue
Dark Reading Tech Digest September 7, 2015
Some security flaws go beyond simple app vulnerabilities. Have you checked for these?
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
Published: 2015-10-12
vpxd in VMware vCenter Server 5.0 before u3e, 5.1 before u3, and 5.5 before u2 allows remote attackers to cause a denial of service via a long heartbeat message.

Published: 2015-10-12
The JMX RMI service in VMware vCenter Server 5.0 before u3e, 5.1 before u3b, 5.5 before u3, and 6.0 before u1 does not restrict registration of MBeans, which allows remote attackers to execute arbitrary code via the RMI protocol.

Published: 2015-10-12
Cisco Unified Computing System (UCS) B Blade Server Software 2.2.x before 2.2.6 allows local users to cause a denial of service (host OS or BMC hang) by sending crafted packets over the Inter-IC (I2C) bus, aka Bug ID CSCuq77241.

Published: 2015-10-12
The process-management implementation in Cisco TelePresence Video Communication Server (VCS) Expressway X8.5.2 allows local users to gain privileges by terminating a supervised process and then triggering the restart of a process by the root account, aka Bug ID CSCuv12272.

Published: 2015-10-12
HP 3PAR Service Processor SP 4.2.0.GA-29 (GA) SPOCC, SP 4.3.0.GA-17 (GA) SPOCC, and SP 4.3.0-GA-24 (MU1) SPOCC allows remote authenticated users to obtain sensitive information via unspecified vectors.

Dark Reading Radio
Archived Dark Reading Radio
What can the information security industry do to solve the IoT security problem? Learn more and join the conversation on the next episode of Dark Reading Radio.