A raid by the Syrian Electronic Army (SEA) on the Washington Post this week was aided by a successful phishing attack on the one of its journalists, the newspaper has confirmed. But how did the atttackers penetrate its defences?
According to the Post, the attackers gained access to the Twitter account of an unnamed journalist, using it to post pro-SEA messages in the rapid-fire style that has become the group’s calling card in numerous other take-overs.
In addition, “for 30 minutes this morning [15 August], some articles on our web site were redirected to the Syrian Electronic Army’s site,” the paper said in a brief web statement, a compromise attributed to an attack on business partner, Outbrain.
However, an internal Post email published by security sleuth Brian Krebs (himself a former Washington Post staffer) explains that the SEA attack had earlier successfully hacked the email account of at least one journalist, sports writer Jason Reid.
Reid is said it have fallen for a phishing attack that spoofed the newspaper’s Outlook Web Access email system on Monday 12 August. Armed with access to his account, the attackers then sent what appeared to be emails to other Washington Post journalists, almost certainly attaching keyloggers that would be used to capture new logins, including those for Twitter accounts.
“We’ve shut down Jason’s account and told him he cannot use his laptop/account tonight.” Read an internal email published on Krebs’ site. “We’ll huddle again Tue morning at 9.05am to provide latest updates, analysis and next steps,” it continues.
The to-do checklist for management includes a note for one member of staff to speak to security forensics firm Mandiant, an outfit that made part of its name as the go-to during a wave of attacks on US news media – including the Washington Post - publicised in January this year.
“Other well-known Posties came close to be tricked by the phishing attack. One of those nearly-phished was veteran Post staffer Gene Weingarten, one of the Post’s Pulitzer Prize winning editors and writers,” noted Krebs.
“I was phished….one of four, but I never entered any creds. I’m stupid, but not THAT stupid,” Weingarten told Krebs in an email.
The attack on The Washington Post was part of a larger SEA campaign this week that saw similar email and web assaults on a swathe of US media, including the New York Post, CNN, and Time.
Earlier in the year, Chinese hackers were accused by The New York Times of launching targeted attacks on them beginning in September 2012. Only days ago, security firm FireEye noticed that the backdoors used in those attacks had recently been updated to evade detection.