The Syrian Electronic Army (SEA), pro-Assad hackers who have targeted various accounts on Twitter maintained by the media, including the Associated Press, three accounts maintained by CBS News, eleven accounts maintained by Britain’s The Guardian, have struck again – this time targeting Thompson Reuters and email accounts used by the White House Staffers in charge of social media.
The goal of these attacks was to spread pro-Assad messages, supporting the Syrian leader whose government is entrenched in a civil war that has lasts more than two years, and resulted in more than 93,000 deaths.
The story was first reported by Nextgov.com, and later confirmed by SEA representatives. The White House staffers were phished by a set of emails that purported to have originated from the BBC and CNN. The social engineering scheme netted the attackers access to three separate accounts, which were then used to further phish other White House staffers. Fortunately, the attack failed. However, the SEA didn’t seem to be bothered by this development, as they released what were alleged to be old Twitter passwords for the @whitehouse account on Tuesday, warning them that they’d “gotten lucky this time.”
It isn’t clear if the incident happened during or after the White House attack, but the SEA also targeted the Twitter account maintained by Thompson Reuters, which was used to spread pro-Assad messages until it was suspended late Monday evening. By Tuesday afternoon, the account had been restored to its status prior to the compromise.
“The Twitter effect is very common – where we see breaking news hit Twitter in some cases before it hits online news sources. Since the social network is becoming increasingly popular as a news source, if attackers can compromise key accounts that have influence over how users get information, they can potentially cause confusion,” said Scott Behrens, senior security consultant at Neohapsis.
Like the previous attacks on the other media owned accounts, the SEA’s attack on Thompson Reuters was done for propaganda and the amusement of those who carried out the attacks. Part of the SEA’s amusement comes from the fact that many of the companies targeted fall victim to basic social engineering techniques, despite the fact that they have established security policies in place for social media and awareness training.
In May, Twitter released a memo on the SEA attacks, and reminded media firms about best practices and encouraged them to revisit their own policies for social media security. At the time, Twitter said that they believed the attacks were originating via Phishing attacks, and that they would continue, as it was clear “that news and media organisations will continue to be high value targets to hackers.”
As of Tuesday afternoon, the SEA accounts related to yesterday’s incidents were either silent or suspended. The group had created other accounts, and warned Twitter that suspending the additional profiles would result in additional hacking.