In a blog posted Thursday, Washington Post managing editor Emilio Garcia-Ruiz wrote: "A few days ago, The Syrian Electronic Army, allegedly, subjected Post newsroom employees to a sophisticated phishing attack to gain password information.
"The attack resulted in one staff writer's personal Twitter account being used to send out a Syrian Electronic Army message," the blog states. "For 30 minutes this morning, some articles on our website were redirected to the Syrian Electronic Army's site.
"The Syrian Electronic Army, in a Tweet, claimed they gained access to elements of our site by hacking one of our business partners, Outbrain," the blog continues. "We have taken defensive measures and removed the offending module. At this time, we believe there are no other issues affecting The Post site."
According to a subsequent electronic post by a Post reporter, the attack worked because of a vulnerability in Outbrain, a third-party content recommendation service.
"Outbrain works by embedding a widget on websites filled with sponsored links, and it seems as though once the SEA had hacked Outbrain, that gave them access to redirect readers on certain pages to SEA-controlled sites," the post says.
The SEA says its attack on Outbrain also allowed it to compromise the websites of Time and CNN.
An Outbrain spokesperson confirmed that its service had been compromised. "We are aware that Outbrain was hacked earlier today," the spokesperson says in an online post. "In an effort to protect our publishers and readers, we took down service as soon as it was apparent.
"The breach now seems to be secured and the hackers blocked out, but we are keeping the service down for a little longer until we can be sure it's safe to turn it back on securely," Outbrain says. "We are working hard to prevent future attacks of this nature."
News of The Washington Post breach follows a number of other publicly disclosed attacks by nation-states on U.S. media, including the attacks on The New York Times and other media sites by a Chinese hacking group, which was described in detail by Mandiant's APT1 report.
But experts noted that the SEA's attack was very different than the attack by China.
"This latest breach of The Washington Post is a bit different than the highly published attacks a couple months ago of The New York Times and other new organizations," says Scott Parcel, CTO of application security vendor Cenzic. "While the previous attacked appeared to be aimed at getting at internal information, such as news sources, the attack on the Post is aimed at the users of the website,. While sources are critical to news, if readers become afraid that simply visiting the site to read the news threatens their own computers with malware, then the readership could dry up quickly.
"Another important aspect of this breach is the relationship to the supply chain," Parcel continues. "Even though it was actually Outbrain that was breached, the Washington Post uses Outbrain as a content suppler, and the Washington Post now finds itself featured in new stories as having a security problem. "This scenario is getting more and more common."
Roger Thompson, chief emerging threat researcher at ICSA Labs, agreed. "Any chain is only as strong as its weakest link, and in this case, it seems to be a third-party link that was 'weak' -- or if not weak, at least vulnerable," he says.
This isn't the first time that the SEA has attacked a website, notes Scott Hazdra, principal security consultant at Neohapsis, a security and risk management consulting company. "The SEA was first mentioned in 2011 in connection with the launch of its website," Hazdra recalls.
"Current information indicates that the SEA is a loosely organized group of like-minded, technologically savvy individuals acting collectively to bring attention to their group and their political agenda through attacking large, high-profile social networking and media organizations," Hazdra says. "There have not been any reported attacks where financial, credit card or health information was specifically targeted or compromised, but account information and passwords of individuals from other types of sites have been hacked and published.
"After compromising an account or website, the group typically posts fictitious stories and messages, or messages directed at particular individuals or groups, to draw attention to their agenda," Hazdra reports.
Richard Henderson, security strategist at Fortinet's FortiGuard Labs, says the attack on the Washington Post speaks to the need for better security at the user level.
"Based on what we know about the Syrian Electronic Army and previous attacks, it's very likely this followed the same M.O. -- a carefully researched spear-phishing campaign designed to target specific employees to deliver malware to steal credentials," Henderson says. "These attacks will continue to be successful as long as companies delay implementing technologies such as two factor authentication to mitigate credential theft."
"The real question is: How many more examples of hacking on premier media companies do we have to have before the CEOs of those companies actually wake up and budget a proper amount of money to help the information security teams actually do their jobs?" asks John Prisco, CEO of endpoint security company Triumfant. "The management teams of these media companies really need to take a hard look at investing much more in cyber security defenses or this will keep happening.
"Media companies have obviously been under attack for quite some time, starting with the New York Times," Prisco observes. "The truth is, media corporations traditionally do not budget a significant amount of money to protect themselves from these sorts of attacks so they are way more vulnerable. Unlike some industries that stress protection like financial services, media corporations don't, so therefore they are easy pickings."
Barry Shteiman, senior security strategist at Imperva, agrees. "It makes lots of sense for a hacktivist group that wishes to display their message and show that they exist to go after high-end media," he says. "They have been actively hacking Twitter accounts of news sites and have recently escalated to hacking into the websites themselves to create awareness.
"There is also a high likelihood that these targets are using similar website platforms as well," Shteiman says. "The reason it is so interesting, is that it paves the way for a crowd-sourced approach -- sharing attack data between companies -- to solve this problem. If one of those companies shared their threat intelligence on the attack and its characteristics, the others could have been prepared in advance."
Darien Kindlund, FireEye's manager of threat intelligence, wonders if the SEA's surface attack on the Washington Post website might have been a diversion to a more sophisticated exploit. "Sometimes, DDoS attacks are a smoke screen for other attacks," he observes. In the past, the SEA has also been known to take information as a part of their campaigns. It is possible that the SEA wants to monitor Washington Post stories on Syria as China wanted to spy on the New York Times. There are certainly some people inside the Syrian government who would like to have access to such information."
Have a comment on this story? Please click "Add a Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.