Syrian Electronic Army hacks newspapers and tech firms via 3rd party website

The 'Syrian Electronic Army' is reported to have hacked the websites of UK newspapers The Independent, The Telegraph and the Evening Standard - as well as a host of global companies.

Syrian Electronic Army hacks newspapers and tech firms via 3rd party website
Syrian Electronic Army hacks newspapers and tech firms via 3rd party website

Detailing its activities on Twitter earlier today, the group said that it was behind the hacking of several high-profile websites including The Independent, OK Magazine, the Evening Standard, the Telegraph, and America's National Hockey League – with most of these websites showing a Javascript pop-up with the message “you have been hacked by the Syrian Electronic Army”. Other websites were directed to a page on image hosting site Imgur which showed the group's logo – which is of an eagle and a version of the Syrian flag.

“Happy thanks giving, hope you didn't miss us! The press: Please don't pretend #ISIS are civilians. #SEA", read the group's Twitter post.

The attack is so wide-range that has also affected websites from Dell, Microsoft, Ferrari, Unicef and French football club Toulouse FC and other media outlets such as The Guardian, The Daily Express, CNBC, PC World and Italy's la Repubblica – although there is no evidence yet that any targets have lost any personally identifiable information.

However, unlike most other data breaches, the hack resulted from the compromise of a third-party service, rather than the websites themselves.

The third-party in question is believed to be GoDaddy-owned marketing company (CDN) Gigya, which is used by some 700 leading brands including the publishers behind The Independent, CNBC and Boston Globe (which was also affected). The SEA has posted screenshots of the company's service being used, while Gigya itself has confirmed it was affected.

“Some calls to Gigya domains were redirected to the hackers site or showed a hacking message to end users”, said the firm in a statement.

“It might take some time until the changes propagate to all users. We have worked with GoDaddy to resolve the issue and the redirection was removed.”

It has been suggested that the SEA may have used social engineering techniques to gain credentials at GoDaddy, and then direct Gigaya domains to websites controlled by hackers. This is otherwise known as DNS hijacking.

The Independent detailed how it was affected, while The Telegraph took to Twitter to confirm that a third-party was compromised. “We've removed the component. No Telegraph user data was affected. Thanks to those who've flagged it,” said the firm.

Speaking to The Guardian earlier today, Ernest Hilbert, a security consultant at Kroll Cyber, agreed that “it was Gigya. It is a DNS takeover, and this is what the Syrian Electronic Army does. Normally, you type in a URL, it goes to a domain name server, and it says ‘those words equal this website'.

“But not every user can get in through one connection, particularly at bigger sites. A CDN means that, because you can't all fit in through the same door, it sends you to another one, another version of the content. And one of those versions, which hosts copies of all these affected sites, appears to have been compromised by the Syrian Electronic Army.”

The pro-Bashar al-Assad group first appeared in 2011 (when the Syrian civil war began) and has since defaced hundreds of websites, including those of the New York Times, Forbes, The Huffington Post, eBay and PayPal.

Previously, the group has carried out such attacks by sabotaging other third-party networks like the Taboola content management system, or by carrying out phishing attacks to get access to credentials.

This was the case with the Forbes attack earlier this year, while in 2013 the SEA sent spoof emails to staff at The Guardian encouraging them to reset passwords via a malicious link. It then used the stolen passwords to leverage greater privilege rights inside the organisation, before compromising Twitter accounts linked to the newspaper.

Raj Samani, CTO EMEA at McAfee, said in an email to SCMagazineUK.com:  “This particular hack would appear to echo what was done against the NYT last year by editing the DNS records to point to systems of their choosing.  However, unlike before this would appear to be related to the comments platform rather than the site itself, such an attack would involve an element of social engineering in order to appear as an authorised party that can change such records. 

“It is however worth noting that the registrar does appear to offer 2-factor authentication, so questions about whether this was used by affected account holders will likely surface.”

Jen Weedon, principal threat intel analyst at the FireEye-owned Mandiant, added in an email to journalists: “While we haven't verified the reports that the Syrian Electronic Army has “hacked” the websites of, among others, some high profile British news outlets' websites, this is in keeping with the group's previous activity. The group's primary MO is to make a statement about their political affiliation (pro-Syrian regime), or brag that they've gained access to or “hacked” victims. The SEA regularly targets western news organizations.  

“Some have stated that they believe the SEA somehow compromised an ad network, and that websites hosting the ads are now displaying the message “You've been hacked by the Syrian Electronic Army.” This opens up the door for wider propagation of their message as essentially the ad network is doing their work for them.