Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

Syrian Electronic Army Hacks White House Media Team

Hackers fail to take over White House website, and then got their Twitter accounts suspended for boasting about subsequent Thomson Reuters takeover.

The Syrian Electronic Army: 9 Things We Know
(click image for larger view)
The Syrian Electronic Army: 9 Things We Know
Three White House social media staffers had their personal Gmail accounts compromised by members of the Syrian Electronic Army (SEA).

The accounts were compromised via a phishing attack that used emails disguised as legitimate communications from the BBC and CNN, reported Nextgov. Instead, the emails included links to fake -- but real-looking -- Google and Twitter pages, which requested that the recipients enter their log-in details. The attackers then used the stolen credentials to launch phishing attacks on other White House staffers, as recently as Sunday night.

According to one security expert, finding the names and contact details for staffers in charge of social media operations at the White House would have been a relatively simple endeavor. "I imagine that the names and email addresses of people at the White House in digital media or anything related to media are easy to find since their job involves public access," Jeffrey Carr, a cyberwarfare specialist at consultancy Taia Global, told Nextgov. "A list of targets would be created from open sources and that's who the phishing email would be delivered to."

[ Want more on well-known hacking groups? Read Anonymous: 10 Things We Have Learned In 2013. ]

The SEA told E Hacking News that the Gmail phishing attack was meant to be a stepping stone to taking over the public-facing White House website. But the hacking group, which backs Syrian president Bashar al-Assad, failed in that bid.

Instead, it released -- no longer working -- passwords for the official White House Twitter feed, as well as a username and password for the White House Hootsuite account. "You were lucky this time," read a tweet from the SEA.

But the hackers claimed success Monday after taking over the Twitter feed for Thomson Reuters and posting multiple fake tweets, including links to pro-Assad cartoons, some of a violent nature, which were later reproduced by BuzzFeed. After the takeover was discovered, the account remained suspended until early Tuesday.

A Thomson Reuters spokesman confirmed the breach to The Wall Street Journal. "Earlier today @thomsonreuters was hacked," he said in a statement emailed late Monday. "In this time, unauthorized individuals have posted fabricated tweets of which Thomson Reuters is not the source. The account has been suspended and is currently under investigation." But the spokesman declined to address how the business had been hacked, or whether it was using Twitter's two-factor authentication feature.

The SEA previously invoked the White House after taking over an account run by The Associated Press. The group then issued this fake tweet: "Breaking: Two Explosions in the White House and Barack Obama is injured." That takeover, which caused a short-term stock market selloff, lead to increased demands on Twitter to introduce a two-factor authentication system, which it released about a month later, albeit to mixed reviews.

Meanwhile, the SEA boasted Tuesday on its website that its 12th Twitter account had been suspended, following the account having been used to detail the group's takeover of Thomson Reuters. The accounts of multiple group members, including "The3Pr0," were also suspended.

From a new account, The3Pr0 issued a warning against further takedowns: "Dear @Twitter, If you suspend the #SEA account again, you will see the [most] massive Twitter accounts hacks you ever see!"

The White House phishing attack aside, the SEA typically targets news organizations it sees as promoting a negative view of the current Syrian regime. The group's takeover victims have included Twitter accounts run by a number of news organizations, including not just the AP but also NPR, CBS News, the BBC and satire site The Onion.

Syrian president Assad made his own social media news last week for extending his propaganda efforts to Instagram, where a new account has been set up to promote his presidency. The photo-sharing platform showed him visiting sick people in the hospital and wiping tears from children's faces.

The Syrian civil war, which began more than two years ago, has so far claimed an estimated 93,000 lives.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
News
Inside the Ransomware Campaigns Targeting Exchange Servers
Kelly Sheridan, Staff Editor, Dark Reading,  4/2/2021
Commentary
Beyond MITRE ATT&CK: The Case for a New Cyber Kill Chain
Rik Turner, Principal Analyst, Infrastructure Solutions, Omdia,  3/30/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-29445
PUBLISHED: 2021-04-16
jose-node-esm-runtime is an npm package which provides a number of cryptographic functions. In versions prior to 3.11.4 the AES_CBC_HMAC_SHA2 Algorithm (A128CBC-HS256, A192CBC-HS384, A256CBC-HS512) decryption would always execute both HMAC tag verification and CBC decryption, if either failed `JWEDe...
CVE-2021-29446
PUBLISHED: 2021-04-16
jose-node-cjs-runtime is an npm package which provides a number of cryptographic functions. In versions prior to 3.11.4 the AES_CBC_HMAC_SHA2 Algorithm (A128CBC-HS256, A192CBC-HS384, A256CBC-HS512) decryption would always execute both HMAC tag verification and CBC decryption, if either failed `JWEDe...
CVE-2021-29451
PUBLISHED: 2021-04-16
Portofino is an open source web development framework. Portofino before version 5.2.1 did not properly verify the signature of JSON Web Tokens. This allows forging a valid JWT. The issue will be patched in the upcoming 5.2.1 release.
CVE-2021-29452
PUBLISHED: 2021-04-16
a12n-server is an npm package which aims to provide a simple authentication system. A new HAL-Form was added to allow editing users in version 0.18.0. This feature should only have been accessible to admins. Unfortunately, privileges were incorrectly checked allowing any logged in user to make this ...
CVE-2021-29444
PUBLISHED: 2021-04-16
jose-browser-runtime is an npm package which provides a number of cryptographic functions. In versions prior to 3.11.4 the AES_CBC_HMAC_SHA2 Algorithm (A128CBC-HS256, A192CBC-HS384, A256CBC-HS512) decryption would always execute both HMAC tag verification and CBC decryption, if either failed `JWEDec...