The Syrian Hackers Are Winning. Here’s Why.

Syrian Electronic Army homepage

Readers who clicked on Outbrain-recommended stories on the Washington Post site were redirected to the Syrian Electronic Army’s homepage.

Screenshot / Syrian Electronic Army homepage

Syrian hackers struck again Thursday in a clever attack that affected the websites of the Washington Post, Time, CNN, and possibly other major media outlets. Readers who clicked on certain stories were reportedly directed to the Syrian Electronic Army’s homepage.

What looked at first like a targeted attack on the Post now appears to have been both more subtle and more widespread. Rather than simply hitting the Post or other media sites directly, the hackers apparently infiltrated the servers of Outbrain, a third-party service used by the Post, Time, CNN, Slate, and many other sites across the Web to recommend stories to their readers. The attack is the clearest signal yet that the Syrian Electronic Army, or SEA, has graduated from hijacking media outlets’ Twitter feeds to more serious and complex hacks. And it comes a day after a self-described SEA leader told the Daily Beast that the group was stepping up its attacks in retaliation for Twitter’s efforts to keep it off the microblogging site.

The attacks came a day after the New York Times’ website suffered a two-hour outage due to what the paper’s officials believe was an unrelated internal problem. There’s no evidence the SEA was involved.

In contrast, the SEA immediately claimed responsibility via Twitter for Thursday’s attacks:

Outbrain confirmed the hack and said it had pulled its recommendations from sites across the Web until it could fix the problem. It seems the Post was also targeted directly, as the paper’s managing editor reported that newsroom employees had been hit with SEA phishing attacks earlier in the week. So far it does not appear that the attacks inflicted permanent damage—but they pose plenty of cause for concern.

Over the past year, the Syrian Electronic Army has hit a virtual who’s-who of major media outlets, from Reuters to NPR to the Onion, mostly via email phishing attacks that trick employees into giving up their social-media credentials so that the SEA can hijack their Twitter feeds. The most notable example came in April, when the group used the Associated Press Twitter account to send out false reports of an explosion at the White House, sending a shockwave through the stock market. Here’s the phishing email that hooked AP employees.

That’s probably about the most damage you could hope to cause simply by hijacking a Twitter feed. But today’s Outbrain attack was different, and potentially more insidious, with the group apparently infiltrating the company’s servers to gain access to its administrative panels. Writing for the blog E-Hacking News, security researcher Sabari Selvan reported that he had interviewed one of the hackers involved:

Speaking to E Hacking News, [the] hacker said that the admin panel of Outbrain is hosted in the local server.  However, they managed to login into the panel with the help of VPN and access panel.  The group also told EHN that they have compromised emails of Outbrain.

That’s consistent with a story in The Register earlier this month, which reported that the group’s hacks have grown more sophisticated of late, and the targets have branched out from news websites to online telephone directories and voice-over-IP apps. Today’s Outbrain attack is indicative of an even more recent focus on third-party services widely used by U.S. media outlets. Earlier this week the SEA hacked Socialflow, a social-media content-management service.

Just yesterday, the Daily Beast’s Brian Ries interviewed a self-described SEA leader who claimed the group was stepping up its attacks in response to Twitter’s takedown of its official feed. From the Daily Beast:

“Our account has been closed 15 times,” the hacker said in an interview conducted over the hackers’ medium of choice, Twitter. “We warned that we will hack the Twitter accounts of the mass media if Twitter closed our accounts again. They closed our accounts, and so we have implemented the threat.”

The Syrian Electronic Army’s main goal, the hacker told Ries, is to show the world the “truth” about Syria—that “there is no revolution in Syria, but [only] terrorists groups killing people accusing Syrian Arab Army.”

So far the attacks seem more likely to simply annoy people than convince them of the group’s point of view. But they highlight the rather startling vulnerability of even the biggest-name media websites to cyberattacks. And in theory, the type of access that the SEA gained to Outbrain’s servers today could have be used to wreak more serious havoc on other Web services in the future.

For now the damage seems to have been contained. Outbrain reported in an update that “the breach now seems to be secured and the hackers blocked out, but we are keeping the service down for a little longer until we can be sure that it’s safe to turn it back on securely.”

Over the years, major banks, Internet companies, and governmental organizations have gotten much better at defending themselves against cyberattacks. But the SEA’s string of successful hacks shows that the same isn’t necessarily true of major media organizations, nor the mid-sized tech, media, and communications startups that many larger companies rely on for various services. That’s understandable—these companies are busy running their core business and would prefer not to expend time and money building in security redundancies and putting their employees through a battery of anti-phishing exercises. But today’s attacks show that the SEA recognizes this, and they’ll continue to exploit it until or unless these companies adapt.