Governance & Risk Management , Incident & Breach Response , Managed Detection & Response (MDR)
Syrians Claim U.S. Army Website Hack
Army Takes Site Offline After Apparent CDN BreachThe Syrian Electronic Army has claimed credit for defacing the U.S. Army's public-facing website with propaganda. Following the defacement, which occurred June 8, the army.mil website went offline, and remained offline as of early June 9.
See Also: Gartner Market Guide for DFIR Retainer Services
A U.S. Army spokesman says that officials took the site offline after the attack, pending related fixes. "Today an element of the Army.mil service provider's content was compromised," Brigadier General Malcolm Frost, chief of Army public affairs, said in a June 8 statement. "After this came to our attention, the Army took appropriate preventive measures to ensure there was no breach of Army data by taking down the website temporarily."
The Army website defacements follow the January disruption of the U.S. Central Command's Twitter and YouTube accounts, after apparent ISIS sympathizers posted propaganda, as well as apparent links to contact information for members of the U.S. military (see U.S. Central Command's Accounts Hacked). U.S. officials described the attack against the public-facing informational website as a case of "cybervandalism." They said there was "no operational impact to U.S. Central Command" or secure military networks and noted the compromise lasted only for about 30 minutes.
Limelight CDN Compromised?
In the case of the U.S. Army website hack, the SEA claims in a June 9 statement that it was able to access the content delivery network used by the Army. "The SEA was able to intercept the content paths after discovering an exploit in the [control] panel that provide (sic) the ability to edit the protected content paths," it says. "The SEA posted on the hacked website several messages calling [on] the U.S. military to stop training terrorists in Turkey and Jordan." The group has threatened to publish unspecified information that it says it obtained from the attack at a future date.
The U.S. Army Public Affairs Office did not immediately respond to a request for comment about the SEA's claims or the identity of its CDN. But security experts say that if the Army's domain name system settings were altered, after they were restored to their correct settings, the changes could take 24 hours to propagate across the Internet. Furthermore, one of the images published by the SEA is a control panel for Limelight Networks, which manages a global, private CDN.
Reached for comment, a Limelight spokeswoman said in a statement: "We take security concerns extremely seriously and, in an abundance of caution, we are conducting a full investigation. At this point we have no reason to believe any customer data has been compromised."
"The credentials for the control panel could have been compromised via a phishing attack or brute force," says Ken Westin, a senior security analyst at security software firm Tripwire, in a blog post. "From the information provided at this point, it does not appear that this is part of a larger breach of an actual server or military network." Likewise, the Army has said that the compromised website did not contain classified data or any information relating to members of the armed services or civilian employees.
Syrian Civil War
The SEA backs the regime of Syrian President Bashar al-Assad in the country's bloody civil war, which began in 2011. The Syrian Observatory For Human Rights believes that 320,000 people - half of them civilians - have died as a result of the conflict.
According to screen grabs posted to Twitter by the SEA, one of the messages it posted read: "Your commanders admit they are training the people they have sent you to die fighting." Another screen grab, posted by Mikko Hypponen, chief research officer of anti-virus firm F-Secure, called the U.S. government "corrupt."
12 hours after getting hacked, http://t.co/9mwRSjZY6i remains down.
https://t.co/p6r2RFy4Sr
pic.twitter.com/qdmSWhuo1K
� Mikko Hypponen (@mikko) June 9, 2015
History of Defacements
The SEA's propaganda refers to the White House in May sending 123 soldiers to Turkey as part of an effort to train opposition forces in the Syrian war. The Obama administration has also left a force of 1,500 soldiers in Jordan, to bolster King Abdullah II, who has been backing Syrian rebels, as well as to train opposition forces, including Iraqi troops. U.S. officials say those moves are also an attempt to contain the spillover from Syria's civil war.
The SEA favors high-impact, but easy-to-launch, disruptions, often focusing on news outlets - ranging from the Associated Press and the BBC to the Al-Jazeera news service and mock news site the Onion - to protest coverage of Assad that it finds unfavorable. In 2013, for example, the group claimed credit for hacking nine websites, including The New York Times and Twitter, in part by gaining access to their domain name system settings, and redirecting them to attacker-controlled sites. While Twitter recovered quickly from the attack, the Times experienced several days of related outages (see Times, Twitter Attacks Raise New Alarms).
While the SEA appears to operate as a propaganda arm for Assad's regime, it isn't clear who is in the group, whether it is sponsored by Assad's regime, or where it might be based. But on the SEA website, the group describes itself as comprising "enthusiastic Syrian youths," and denies reports that it is funded by the Syrian government. "The Syrian youth have power and experience so we don't need funding," it says.