The Washington Post and the U.S. Department of Energy hacked: a lesson for others

Within a few days in the middle of August, reports of massive cyber attacks against the U.S. media surfaced, more specifically, at the Washington Post, CNN and Time, as well

Within a few days in the middle of August, reports of massive cyber attacks against the U.S. media surfaced, more specifically, at the Washington Post, CNN and Time, as well as at the U.S. Department of Energy. These incidents are hard to overlook, even the though criminals used well-known techniques to invade the networks.

The first attack targeted the Washington Post. Managing editor Emilio Garcia-Ruiz wrote in the editorial blog that some “Syrian Electronic Army” (SEA) had subjected Post newsroom employees to a sophisticated phishing attack to gain password information. The attack resulted in one staff writer’s personal Twitter account being used to send out a Syrian Electronic Army message. But that was only a small piece of the attack. The fact that for 30 minutes some articles on their website had been redirected to the Syrian Electronic Army’s site was far more serious.

According to Garcia-Ruiz, the alleged Syrians gained access to elements of their site by hacking one of WP’s business partners. The attack worked because of a vulnerability in Outbrain, a third-party content recommendation service.

Outbrain works by embedding a widget on websites filled with sponsored links. “It seems as though once the SEA had hacked Outbrain, that gave them access to redirect readers on certain pages to SEA-controlled sites”, – Garcia-Ruiz wrote.

An Outbrain spokesperson soon confirmed that its service had been compromised. They took down service “as soon as it was apparent.” Alas, the invasion was apparent to more than just Outbrain and the Washington Post’s employees.

The Syrian Electronic Army said in turn that their “warriors” managed to compromise the sites of Time and CNN in the same way.

Major U.S. media sources are used to being the targets of attackers, but in this case, the criminals acted with due provision. They used spearphishing and malicious software on the computer of their succumbed users, and then had malware steal the username and password for the attacked Twitter account, taking it under control. The personal twitter of an employee of one of the largest and most prestigious newspapers turned into a loudspeaker. Mission accomplished.

How was Outbrain hacked? Exactly the same way: it took just one hapless employee lured by a fake letter purporting to be from Outbrain’s CEO. The victim entered his or her login and password on the fake resource, and the SEA got access to the control panel of the service.

It is remarkable that two hours passed from the moment the hackers began changing Outbrain’s settings until the company’s employees detected the intrusion.

Here are the important facts. Firstly, to conduct a successful spearphishing attack, intruders should have sufficient information about their potential victim so that he or she won’t suspect anything. Secondly, the attackers have to bypass antiphishing tools, if there are any. The one thing lacking in the case of Outbrain was two-factor authentication.

There are already assumptions that the attacks of the Syrian Electronic Army might have been used to disguise more complex and important operations (such as planting a zero-day exploit or a backdoor on media sites to track information and its sources).

Actually, these suspicions are not groundless. Exerting such efforts just for a number of posts in Twitter and redirecting several thousand visitors at best to one’s own resources is unseemly. However, there is no practical evidence to support this hypothesis. Moreover, Outbrain’s statement claimed that they managed to detect all the changes made by hackers and recover the settings. They involved outside specialists to investigate the case to be on the safe side.

The SEA did not stop after attacking the Washington Post and Outbrain: a few days ago they reportedly replaced the domain information of many sites including the The New York Times’ web page and some Twitter account domains. This time they managed to hack the domain registrar. Their victim was most likely from Melbourne IT, the company providing the services for the affected resources.

The second incident looks much more serious. Firstly, the target of the attack was the U.S. Department of Energy. Secondly, the attack induced a massive leak of personal data of employees of the Department. Judging by the Department’s internal correspondence published by the Wall Street Journal, the personal data of 14,000 current and former employees was compromised. Hackers managed to steal the data by cracking the sanctum sanctorum – the Department’s HR system.

The Department was already hacked in February of this year, but the leak was much smaller- the personal information of “just a few hundred people” leaked. Either way, becoming a victim of cyber attacks twice a year is a real reputation disaster.

According to Alan Paller, the founder of the SANS Institute, both the recent and the February attacks are part of a “long-term, intensive campaign to take over large numbers of systems to gain permanent access to sensitive U.S. systems.” Previously such statements were likely to be considered an augmented conspiracy theory, but now, after the disclosure of a number of large cyber espionage campaigns like NetTraveler, statements of this kind have to be taken seriously.

Unfortunately, the seriousness of the situation is often grasped only after an incident has occurred (and even that was not enough in the case of the U.S. Energy Department). A few months earlier, Chinese hackers conducted an attack at the New York Times. In theory, such an attack should have led other administrators of large media corporations and news agencies to think about increasing data security.

Despite the fact that, the means of combating phishing are well developed and effective, and enabling two-factor authentication is not rocket science. Early implementation of these security technologies as well as training ordinary non-technical staff on distinguishing phishing messages from usual ones would have saved a lot of trouble.

There is hope that the WP and the Department of Energy’s grievous experience will become an example for others though, as well as the reason to deploy adequate protection.