The attackers may have gained access to the accounts using social engineering, according to security experts.
“We can confirm that the CENTCOM Twitter and YouTube accounts were compromised earlier today,” a Central Command spokesperson said. “We are taking appropriate measures to address the matter. We have no further information to provide at this time.”
Both accounts have since been taken offline, but not before the hackers – who seem to be supporters of the Islamic State – tweeted threatening messages and links to military documents, according to a report by The Washington Post.
Ian Amit, vice president of ZeroFOX, said in a Monday email that all of the military documents are actually public domain, and the attackers repackaged the documents to look as though the data came from a real breach.
“These actors are trying to make themselves look more legitimate by threatening soldiers' wives and claiming to have mobile access,” Amit said. “In truth, they likely only stole a password, either through a phishing scam or a brute-force attack.”
Although the action is more cyber-vandalism and had no great impact, in an email to SCMagazineUK.com Privacy expert Lance Cottrell, chief scientist at Ntrepid noted: "The message this sends is that official accounts on non-official platforms are highly vulnerable. For example, in 2013 false information on an AP hacked social media account claiming there were explosions at Whitehouse caused a market flash crash.
“There was clear potential for similar harm from this kind of attack, but it was not taken advantage of. And this is unlikely to do any massive harm because there are so many other sources of information to correct it.
“Hacking is a constant, and there were lots of valuable documents at risk. But in this case, it looks like nothing significant was taken. The attackers are winning because of the attention they are getting rather than because of any actual damage from the attack.”
In a Monday email correspondence, Trey Ford, global security strategist with Rapid7, told SCMagazine.com that the attackers could have scouted ahead and then used social engineering to trick someone into giving out credentials.
“On account investigations, I have routinely found community managers and social media/marketing folks tying their personal Gmail accounts to corporate personas,” Ford said, going on to add, “Taking control of the right user's email would allow attackers to reset the corporate Twitter account password.”
Tweets started being posted from the @CENTCOM Twitter account around 12:30 p.m. on Monday, according to The Washington Post, which posted images that show one message as saying, “AMERICAN SOLDIERS, WE ARE COMING, WATCH YOUR BACK. ISIS.” The Twitter profile photo and the backgrounds for both accounts were also changed, showing the term: “CyberCaliphate.”
Last week, tweets and images in support of the Islamic State – and including the term CyberCaliphate – appeared on the Twitter feeds of the Albuquerque Journal, CBS and Fox affiliates in Delmarva, Maryland, and a station in Tennessee.
“This attack looks to be the same actors as the WBOC and ABQJounral attacks last week,” Amit said. “The verbiage is the same, the behaviour is the same, the hashtags are the same – all indicators suggest this is the same group.”
Ford noted that document dumps in the Sony hack were laced with malware, and that the documents in this instance may be part of a malware campaign targeting military analysts and their families.
Robert Capps, senior director of customer success at RedSeal, a security analytics company, concurred, stating in an email to press that: “There are two separate attacks of note: (1) The takeover of CENTCOM's social media presence is embarrassing; and (2) A possible intrusion into CENTOM's network is dangerous.
“Attacks on the social media presence of an organisation are intended to embarrass the targeted group and make headlines, but they are far less impactful than an intrusion into the organisation's internal network. Even though social media attacks are quite visible, they aren't generally indicative of a significant security issue within the attacked organisation. These attacks rarely occur due to a compromise of the social media service itself. And they are not limited to large organisations or government entities - consumers are also at risk.
“More troubling is the possibility of a network infiltration. The cyber-criminals who perpetrated this attack are claiming that they have or had access to one or more CENTCOM networks. If true, it would illustrate the fact that no one is immune to cyber-attack and resulting network intrusions, and that we have a of work ahead of us as a nation to harden our cyber-defences against attack.
“The takeaways for consumers and businesses? Always use strong passwords, and don't reuse passwords across multiple sites. And make sure you keep your computer operating systems and security software updated with the latest updates.”