Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

Washington Post Hacked By Syrian Electronic Army

Breach at third-party service enables Syrian cyberattackers to gain access to Washington Post, Time, and CNN

The Syrian Electronic Army is taking credit for hacks of The Washington Post and other U.S. media targets earlier this week.

In a blog posted Thursday, Washington Post managing editor Emilio Garcia-Ruiz wrote: "A few days ago, The Syrian Electronic Army, allegedly, subjected Post newsroom employees to a sophisticated phishing attack to gain password information.

"The attack resulted in one staff writer's personal Twitter account being used to send out a Syrian Electronic Army message," the blog states. "For 30 minutes this morning, some articles on our website were redirected to the Syrian Electronic Army's site.

"The Syrian Electronic Army, in a Tweet, claimed they gained access to elements of our site by hacking one of our business partners, Outbrain," the blog continues. "We have taken defensive measures and removed the offending module. At this time, we believe there are no other issues affecting The Post site."

According to a subsequent electronic post by a Post reporter, the attack worked because of a vulnerability in Outbrain, a third-party content recommendation service.

"Outbrain works by embedding a widget on websites filled with sponsored links, and it seems as though once the SEA had hacked Outbrain, that gave them access to redirect readers on certain pages to SEA-controlled sites," the post says.

The SEA says its attack on Outbrain also allowed it to compromise the websites of Time and CNN.

An Outbrain spokesperson confirmed that its service had been compromised. "We are aware that Outbrain was hacked earlier today," the spokesperson says in an online post. "In an effort to protect our publishers and readers, we took down service as soon as it was apparent.

"The breach now seems to be secured and the hackers blocked out, but we are keeping the service down for a little longer until we can be sure it's safe to turn it back on securely," Outbrain says. "We are working hard to prevent future attacks of this nature."

News of The Washington Post breach follows a number of other publicly disclosed attacks by nation-states on U.S. media, including the attacks on The New York Times and other media sites by a Chinese hacking group, which was described in detail by Mandiant's APT1 report.

But experts noted that the SEA's attack was very different than the attack by China.

"This latest breach of The Washington Post is a bit different than the highly published attacks a couple months ago of The New York Times and other new organizations," says Scott Parcel, CTO of application security vendor Cenzic. "While the previous attacked appeared to be aimed at getting at internal information, such as news sources, the attack on the Post is aimed at the users of the website,. While sources are critical to news, if readers become afraid that simply visiting the site to read the news threatens their own computers with malware, then the readership could dry up quickly.

"Another important aspect of this breach is the relationship to the supply chain," Parcel continues. "Even though it was actually Outbrain that was breached, the Washington Post uses Outbrain as a content suppler, and the Washington Post now finds itself featured in new stories as having a security problem. "This scenario is getting more and more common."

Roger Thompson, chief emerging threat researcher at ICSA Labs, agreed. "Any chain is only as strong as its weakest link, and in this case, it seems to be a third-party link that was 'weak' -- or if not weak, at least vulnerable," he says.

This isn't the first time that the SEA has attacked a website, notes Scott Hazdra, principal security consultant at Neohapsis, a security and risk management consulting company. "The SEA was first mentioned in 2011 in connection with the launch of its website," Hazdra recalls.

"Current information indicates that the SEA is a loosely organized group of like-minded, technologically savvy individuals acting collectively to bring attention to their group and their political agenda through attacking large, high-profile social networking and media organizations," Hazdra says. "There have not been any reported attacks where financial, credit card or health information was specifically targeted or compromised, but account information and passwords of individuals from other types of sites have been hacked and published.

"After compromising an account or website, the group typically posts fictitious stories and messages, or messages directed at particular individuals or groups, to draw attention to their agenda," Hazdra reports.

Richard Henderson, security strategist at Fortinet's FortiGuard Labs, says the attack on the Washington Post speaks to the need for better security at the user level.

"Based on what we know about the Syrian Electronic Army and previous attacks, it's very likely this followed the same M.O. -- a carefully researched spear-phishing campaign designed to target specific employees to deliver malware to steal credentials," Henderson says. "These attacks will continue to be successful as long as companies delay implementing technologies such as two factor authentication to mitigate credential theft."

"The real question is: How many more examples of hacking on premier media companies do we have to have before the CEOs of those companies actually wake up and budget a proper amount of money to help the information security teams actually do their jobs?" asks John Prisco, CEO of endpoint security company Triumfant. "The management teams of these media companies really need to take a hard look at investing much more in cyber security defenses or this will keep happening.

"Media companies have obviously been under attack for quite some time, starting with the New York Times," Prisco observes. "The truth is, media corporations traditionally do not budget a significant amount of money to protect themselves from these sorts of attacks so they are way more vulnerable. Unlike some industries that stress protection like financial services, media corporations don't, so therefore they are easy pickings."

Barry Shteiman, senior security strategist at Imperva, agrees. "It makes lots of sense for a hacktivist group that wishes to display their message and show that they exist to go after high-end media," he says. "They have been actively hacking Twitter accounts of news sites and have recently escalated to hacking into the websites themselves to create awareness.

"There is also a high likelihood that these targets are using similar website platforms as well," Shteiman says. "The reason it is so interesting, is that it paves the way for a crowd-sourced approach -- sharing attack data between companies -- to solve this problem. If one of those companies shared their threat intelligence on the attack and its characteristics, the others could have been prepared in advance."

Darien Kindlund, FireEye's manager of threat intelligence, wonders if the SEA's surface attack on the Washington Post website might have been a diversion to a more sophisticated exploit. "Sometimes, DDoS attacks are a smoke screen for other attacks," he observes. In the past, the SEA has also been known to take information as a part of their campaigns. It is possible that the SEA wants to monitor Washington Post stories on Syria as China wanted to spy on the New York Times. There are certainly some people inside the Syrian government who would like to have access to such information."

Have a comment on this story? Please click "Add a Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message. Tim Wilson is Editor in Chief and co-founder of Dark Reading.com, UBM Tech's online community for information security professionals. He is responsible for managing the site, assigning and editing content, and writing breaking news stories. Wilson has been recognized as one ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
The Security of Cloud Applications
Hillel Solow, CTO and Co-founder, Protego,  7/11/2019
US Mayors Commit to Just Saying No to Ransomware
Robert Lemos, Contributing Writer,  7/16/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: "SpearPhish! Everyone out of the office!"
Current Issue
Building and Managing an IT Security Operations Program
As cyber threats grow, many organizations are building security operations centers (SOCs) to improve their defenses. In this Tech Digest you will learn tips on how to get the most out of a SOC in your organization - and what to do if you can't afford to build one.
Flash Poll
The State of IT Operations and Cybersecurity Operations
The State of IT Operations and Cybersecurity Operations
Your enterprise's cyber risk may depend upon the relationship between the IT team and the security team. Heres some insight on what's working and what isn't in the data center.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-1919
PUBLISHED: 2019-07-17
A vulnerability in the Cisco FindIT Network Management Software virtual machine (VM) images could allow an unauthenticated, local attacker who has access to the VM console to log in to the device with a static account that has root privileges. The vulnerability is due to the presence of an account w...
CVE-2019-1920
PUBLISHED: 2019-07-17
A vulnerability in the 802.11r Fast Transition (FT) implementation for Cisco IOS Access Points (APs) Software could allow an unauthenticated, adjacent attacker to cause a denial of service (DoS) condition on an affected interface. The vulnerability is due to a lack of complete error handling conditi...
CVE-2019-1923
PUBLISHED: 2019-07-17
A vulnerability in Cisco Small Business SPA500 Series IP Phones could allow a physically proximate attacker to execute arbitrary commands on the device. The vulnerability is due to improper input validation in the device configuration interface. An attacker could exploit this vulnerability by access...
CVE-2019-1940
PUBLISHED: 2019-07-17
A vulnerability in the Web Services Management Agent (WSMA) feature of Cisco Industrial Network Director (IND) could allow an unauthenticated, remote attacker to gain unauthorized read access to sensitive data using an invalid X.509 certificate. The vulnerability is due to insufficient X.509 certifi...
CVE-2019-1941
PUBLISHED: 2019-07-17
A vulnerability in the web-based management interface of Cisco Identity Services Engine (ISE) could allow an unauthenticated, remote attacker to conduct a cross-site scripting (XSS) attack against a user of the web-based management interface of an affected device. The vulnerability exists because th...