Industry News

How the Washington Post was hijacked by the Syrian Electronic Army (again)

The Syrian Electronic Army appears to have successfully scalped another high profile media outlet, briefly hijacking the mobile version of the Washington Post website to display pop-up messages claiming that the media is not telling the truth.

hacked-media

For a period of approximately 30 minutes, visitors to m.washingtonpost.com found they were greeted not by the latest news, but by alert boxes saying:

“You’ve been hacked by the Syrian Electronic Army”

“US govt is training the terrorists to kill more Syrians”

“Saudi Arable and its allies are killing hundreds of Yemens [sic] people every day!”

“The media is always lying”

hacked-sea

All fairly standard fare for the notorious Syrian Electronic Army (SEA), who have previously targeted many media outlets including Reuters.

It’s not even the first time that the SEA has attacked the Washington Post. In August 2013 the hacking group successfully redirected readers attempting to read Washington Post articles to the pro-Assad SEA’s website instead.

On that occasion, the hackers managed to compromise the internal email system of Outbrain, a company which provides those “You might also like” content recommendations at the end of articles, and access admin panels to send people browsing news stories on CNN, Time magazine, and the Washington Post to the SEA’s own site instead.

In this latest incident, as Motherboard reports, the hackers claim that they broke into systems belonging to Instart Logic, the content delivery network (CD)B) used by the Washington Post:

“We hacked InStart CDN service, and we were working on hacking the main site of Washington Post, but they took down the control panel. We just wanted to deliver a message on several media sites like Washington Post, US News and others, but we didn’t have time :P.”

Chances are that Instart Logic was itself hacked through a combination of phishing and social engineering, the elementary but effective tricks most commonly used by the Syrian Electronic Army to break into systems and steal passwords.

In short, the Washington Post‘s own systems were not hacked, but those of one of their technology providers was.

The public impact, however, is the same. As far as visiting readers were concerned they visited the newspaper’s website from their mobile phone and saw unauthorised comment claiming that the site had been hacked. That, clearly, is not good for a newspaper brand’s image.

Washington Post chief information officer Shailesh Prakash confirmed the security breach, and reassured readers that no data had been stolen and that the situation was now under control:

“The Washington Post’s mobile homepage and some section fronts on the mobile site were redirected to a site that claimed to be run by the Syrian Electronic Army. The situation has been resolved and no customer information was impacted.”

The message is clear. Not only do you need your own systems to be hardened against malicious hackers. You also need to ensure that your third-party suppliers are also taking security seriously. Otherwise, it could be your company’s name that is appearing in the hacking headlines.

About the author

Graham CLULEY

Graham Cluley is an award-winning security blogger, researcher and public speaker. He has been working in the computer security industry since the early 1990s, having been employed by companies such as Sophos, McAfee and Dr Solomon's. He has given talks about computer security for some of the world's largest companies, worked with law enforcement agencies on investigations into hacking groups, and regularly appears on TV and radio explaining computer security threats.

Graham Cluley was inducted into the InfoSecurity Europe Hall of Fame in 2011, and was given an honorary mention in the "10 Greatest Britons in IT History" for his contribution as a leading authority in internet security.

1 Comment

Click here to post a comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.

  • “The Syrian Electronic Army appears to have successfully scalped another high profile media outlet, briefly hijacking the mobile version of the Washington Post website to display pop-up messages claiming that the media is not telling the truth.”

    Well I was following it until the part about claiming the media is not telling the truth. At that moment I knew the SEA was telling the truth. I’ll refrain from getting in to the discussion of training foreign fighters because anyone who pays attention to history knows what I’m thinking of already. Anyone else is another example of history repeating itself. You know, sort of like the Washington Post being compromised again… probably the same tactic, too?

    “.. saw unauthorised comment claiming that the site had been hacked. That, clearly, is not good for a newspaper brand’s image.”
    Well all things considered, it might as well have been breached.

    “Not only do you need your own systems to be hardened against malicious hackers. You also need to ensure that your third-party suppliers are also taking security seriously.”

    I wish more would tell this to Kevin Mitnick but I suppose he’ll not care anyway because it isn’t his fault (when his company was breached twice and both times it was the host at fault and not his) any more than his (second not to mention first time) trouble with the law is (was) his fault (entirely). But forget about him or anyone in particular. Yes, just like security at one premise is a many-layered thing, many premises work together (or work against each other) and if you rely on someone (or some organisation) then their success or failure will make or break you.

    Ironically there’s one thing that many do not understand but it would really help their own reputation if they did (which is what they want in the first place!), and that is this: admit your mistakes including security breaches; you have nothing to gain by (try) hiding it because when it is discovered others will think more than you were just a victim of an attack (which can happen to anyone, even those in to security) – they’ll think of you as someone who is ashamed to admit to mistakes, ashamed even when it risks others (e.g. customer) information (or otherwise to try to keep their reputation all positive). Worse is they’ll see you as one who covers up (read: deceit through lies and secrecy) in order to save your own reputation. Well by doing that your reputation will be tarnished when more people find out (and rightfully so – you betray their trust for what you think is your own good). Fixing that will take a lot more time and effort than just admitting it and doing everything you can to resolve it in an upfront, mature and professional manner.