Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

8/21/2013
11:35 PM
50%
50%

How Hacktivists Have Targeted Major Media Outlets

From the Washington Post and CNN to the Twitter feeds of the Associated Press and Reuters, hacktivists have news outlets--and their social-media presence--in their crosshairs

Global conflicts have increasingly led tech-savvy protesters and loyalists to express their views online by hacking, and while many groups have focused on attempting to damage or deface government websites, others have focused on getting the word out by attacking the media.

In the latest attacks, the Syrian Electronic Army (SEA), a group that supports Syrian President Bashar al-Assad, compromised third-party link network Outbrain, allowing the group to change some of the third-party content on at least four major news sites, including The Washington Post, Time, and CNN. Like other hacktivists, the SEA is looking to get their message out and media sites have the biggest payoff, says Jason Lancaster, senior intelligence analyst with HP Security Research.

"They are going after media, because they want to propagate their message," Lancaster says. "When they attack media organizations, even if they are not successful, their message is, in a way, still being propagated."

The attacks are not the first time the political hackers have taken a stand against media firms. In 2001, the Honkers Union of China defaced a number of sites, including news organization United Press International, protesting a collision between a U.S. spy plane and a Chinese fighter jet that resulted in the death of the pilot, Wang Wei. Last year, hackers claiming a link to Anonymous defaced and attacked websites in China to protest the country's censorship policies.

In the last three months, the Syrian Electronic Army has compromised numerous Twitter accounts, including those used by major news services, such as the Associated Press, Agence France-Presse (AFP) and Reuters. In addition, the group has hacked a variety of other news organizations, reportedly including National Public Radio (NPR), the British Broadcasting Corp. (BBC), and Al Jazeera.

First coming to light in 2011, the Syrian Electronic Army has not been positively linked to the Assad regime, but has taken a pro-Assad stance and criticized Western media for "fabricated and false news" about what is happening in Syria, according to Hewlett-Packard's analysis of the group.

The SEA has apparently refrained from attacking for financial gain, and instead focuses on gaining access to specific sites and posting fictitious stories supporting their agenda, says Scott Hazdra, principal security consultant for Neohapsis.

"Their mission is to post messages, deface a site, and cause disruption in such a way so that there is reporting on what they have done," Hazdra says. "That will draw attention to their agenda."

Phishing the media
In most cases, the hacktivists have used straightforward phishing techniques, sending tailored e-mail messages to a small number of media employees.

In the case of the hack of satirical news site The Onion, the e-mail read: "Dear The Onion Journalists: Please read the following article for its importance: [link] Thanks & Regards." The link in the e-mail message lead to a malicious site that requested the user's Google Apps credentials before redirecting them to their Gmail account.

"Leveraging relatively simple methods like phishing isn't new, but it is fairly prevalent," says Ted Ross, director of field intelligence for HP Security Research. "It is still pretty easy to target and get an assistant or non-technical staff to click on a link and then get their credentials."

The same scenario played out in the hack of third-party online services Social Flow and Outbrain. Phishing e-mails landed in the inboxes of a number of employees of Social Flow, which helps companies manage social media campaigns. While in-house employees were quickly warned of the threat, the alert was slow in getting out to remote workers, the company stated in a post-mortem on the incident.

"Unfortunately, an employee working outside the office clicked on the link and entered an email address and password," Social Flow stated on its blog. "That person had publishing access to our Twitter account, Facebook account, and website."

[Breach at third-party service enables Syrian cyberattackers to gain access to Washington Post, Time, and CNN. See Washington Post Hacked By Syrian Electronic Army.]

Similarly, Reuters, Associated Press, and Outbrain have all blamed phishing campaigns for the compromise of their systems and accounts. Outbrain fingered a message that appeared to come from the CEO, while an AP employee said that "some of us received an impressively disguised phishing email."

Fewer third parties, more education
The breaches have demonstrated that many of the third-party widgets, plugins, and Web services used by media companies come with inherent risks. Publishers' pages are a mashup of a variety of third-party content, making the security of any displayed page reliant on the weakest link in the Web supply chain, says Chris Wysopal, chief technology officer of Veracode, an application-security firm.

"These websites pull ads and widgets from all over the place," he says. "People have no idea where all this data is coming from. I don't think a lot of people have thought about this threat model."

Veracode itself analyzed the risks when considering a third-party widget to allow users to easily post content from Veracode sites to their Twitter feeds, Facebook walls, and other social-media sites. The company's analysis found that the software service communicated with a wide variety of destinations, including sites in Russia, he says.

"We said, 'Wait a minute, what is this component doing?' It was pulling code from a bunch of other sites," he says. "We decided that we couldn't know what was going on, and so we created the functionality ourselves."

Triaging the threat from third-party widgets is not enough. Companies also have to minimize their attack surface area, and a large source of exposure is uneducated employees willing to click on phishing links. While attackers will generally be able to craft a message to fool just about anyone, companies should raise the bar by teaching employees not to click on links from unknown sources, says Neohapsis's Hazdra.

"Every organization is vulnerable to a spearphishing attacks, because even people who are trained can get tricked," he says. "But there are a wide variety of controls that can make it harder for the attacker and minimize damage when they succeed."

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message. Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Threaded  |  Newest First  |  Oldest First
mmcgann334
50%
50%
mmcgann334,
User Rank: Strategist
8/23/2013 | 3:38:19 PM
re: How Hacktivists Have Targeted Major Media Outlets
Good read and info. this is a big problem and very prevalent!
trussell175
50%
50%
trussell175,
User Rank: Apprentice
8/24/2013 | 2:48:04 AM
re: How Hacktivists Have Targeted Major Media Outlets
I don't know why these "hacktivists" are going after news organizations like the Washington Post. They should concentrate their focus on yellow-journalism "news" outlets like Fox News and Brietbart.
News
Former CISA Director Chris Krebs Discusses Risk Management & Threat Intel
Kelly Sheridan, Staff Editor, Dark Reading,  2/23/2021
Edge-DRsplash-10-edge-articles
Security + Fraud Protection: Your One-Two Punch Against Cyberattacks
Joshua Goldfarb, Director of Product Management at F5,  2/23/2021
News
Cybercrime Groups More Prolific, Focus on Healthcare in 2020
Robert Lemos, Contributing Writer,  2/22/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
Building the SOC of the Future
Building the SOC of the Future
Digital transformation, cloud-focused attacks, and a worldwide pandemic. The past year has changed the way business works and the way security teams operate. There is no going back.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-25329
PUBLISHED: 2021-03-01
The fix for CVE-2020-9484 was incomplete. When using Apache Tomcat 10.0.0-M1 to 10.0.0, 9.0.0.M1 to 9.0.41, 8.5.0 to 8.5.61 or 7.0.0. to 7.0.107 with a configuration edge case that was highly unlikely to be used, the Tomcat instance was still vulnerable to CVE-2020-9494. Note that both the previousl...
CVE-2021-25122
PUBLISHED: 2021-03-01
When responding to new h2c connection requests, Apache Tomcat versions 10.0.0-M1 to 10.0.0, 9.0.0.M1 to 9.0.41 and 8.5.0 to 8.5.61 could duplicate request headers and a limited amount of request body from one request to another meaning user A and user B could both see the results of user A's request...
CVE-2021-27225
PUBLISHED: 2021-03-01
In Dataiku DSS before 8.0.6, insufficient access control in the Jupyter notebooks integration allows users (who have coding permissions) to read and overwrite notebooks in projects that they are not authorized to access.
CVE-2021-27132
PUBLISHED: 2021-02-27
SerComm AG Combo VD625 AGSOT_2.1.0 devices allow CRLF injection (for HTTP header injection) in the download function via the Content-Disposition header.
CVE-2021-25284
PUBLISHED: 2021-02-27
An issue was discovered in through SaltStack Salt before 3002.5. salt.modules.cmdmod can log credentials to the info or error log level.