How the Washington Post was hijacked by the Syrian Electronic Army (again)

The Syrian Electronic Army appears to have successfully scalped another high profile media outlet, briefly hijacking the mobile version of the Washington Post website to display pop-up messages claiming that the media is not telling the truth.

For a period of approximately 30 minutes, visitors to m.washingtonpost.com found they were greeted not by the latest news, but by alert boxes saying:

“You’ve been hacked by the Syrian Electronic Army”

“US govt is training the terrorists to kill more Syrians”

“Saudi Arable and its allies are killing hundreds of Yemens [sic] people every day!”

“The media is always lying”

All fairly standard fare for the notorious Syrian Electronic Army (SEA), who have previously targeted many media outlets including Reuters.

It’s not even the first time that the SEA has attacked the Washington Post. In August 2013 the hacking group successfully redirected readers attempting to read Washington Post articles to the pro-Assad SEA’s website instead.

On that occasion, the hackers managed to compromise the internal email system of Outbrain, a company which provides those “You might also like” content recommendations at the end of articles, and access admin panels to send people browsing news stories on CNN, Time magazine, and the Washington Post to the SEA’s own site instead.

In this latest incident, as Motherboard reports, the hackers claim that they broke into systems belonging to Instart Logic, the content delivery network (CD)B) used by the Washington Post:

“We hacked InStart CDN service, and we were working on hacking the main site of Washington Post, but they took down the control panel. We just wanted to deliver a message on several media sites like Washington Post, US News and others, but we didn’t have time :P.”

Chances are that Instart Logic was itself hacked through a combination of phishing and social engineering, the elementary but effective tricks most commonly used by the Syrian Electronic Army to break into systems and steal passwords.

In short, the Washington Post‘s own systems were not hacked, but those of one of their technology providers was.

The public impact, however, is the same. As far as visiting readers were concerned they visited the newspaper’s website from their mobile phone and saw unauthorised comment claiming that the site had been hacked. That, clearly, is not good for a newspaper brand’s image.

Washington Post chief information officer Shailesh Prakash confirmed the security breach, and reassured readers that no data had been stolen and that the situation was now under control:

“The Washington Post`s mobile homepage and some section fronts on the mobile site were redirected to a site that claimed to be run by the Syrian Electronic Army. The situation has been resolved and no customer information was impacted.”

The message is clear. Not only do you need your own systems to be hardened against malicious hackers. You also need to ensure that your third-party suppliers are also taking security seriously. Otherwise, it could be your company’s name that is appearing in the hacking headlines.