The Syrian Electronic Army might be predators but their attacks don't need big teeth
Earlier this week the Forbes news site became the latest media organisation to find itself on the receiving end of the attentions of the Syrian Electronic Army (SEA) after an attack that left a million user accounts in a breached state.
Only days on, unexpectedly and bravely, a traumatised Forbes has decided to do something none of the SEA’s previous victims has dared and tell the world how it believes the hack happened. Let’s applaud such openness. It is precisely through this kind of sharing that organisations with similar resources (i.e. every other media firm at least) might have a fighting chance of avoiding the SEA's clutches.
A reasonably full account has been posted by one of the site’s staffers. What can we learn from it? A lot in fact.
1. Phishing this practiced is almost impossible to defend against. Staff were obviously aware that they were a target and were suspicious enough not to click on some of the phishing SEA directed at them. But eventually one link, apparently sent in an email from a genuine contact, looked real enough to warrant following and this gave attackers the credentials they needed to get a foothold.
2. Once they’re in, they go sideways. It happens to the best of us, but it gets worse. The first compromised account was quickly used to send phishing emails to other members of staff, including the WordPress super-admin. They fell for it because these emails no longer resembled phishing emails. The hackers now had access to key systems including, Forbes surmises, the vulnerable user database with its 1,057,819 user accounts.
3. The attackers kept probing for new weaknesses even after warnings about strange emails had been sent out for Forbes staff. A third person fell for the attack and the SEA posted fake blogs within minutes.
4. Forbes probably lacked a comprehensive plan to cope with this kind of 'God almighty what's happening here' attack. Aware something was going on but not what, admins locked down the WordPress system. Credentials for admins were reset using phone calls or personal contact. Good move. Forbes' admins reacted very quickly but in a way that was constantly behind their assailants - attackers changed the email addresses associated with hacked WordPress Accounts and social accounts associated with this, allowing them to reset passwords even after they had been locked out.
5. Attackers try and distract defenders with feints. This tactic works. A flaw in a WordPress plug-in was (they believe) exploited to allow redirect website visitors to the SEA’s Twitter feed. Result: more resources consumed. Does this attack have no end?
6. Forbes admin accounts have a lot of power but not many controls or logging. We can infer this because Forbes has admitted it is still not sure how these accounts were abused in the timeline. That's a risk straight off because even without the SEA you only need a dishonest admin and the whole system can be undermined from within.
“In future posts, we plan to provide updates on Forbes’ response to the attack, how it changes our security practices, and the lessons it holds for the company as well as for other potential hacking targets. Forbes is hardly the first media outlet to be hit by the Syrian Electronic Army. It likely won’t be the last,” concluded Forbes writer Andy Greenberg.
The lessons are complex, starting with the fact that almost every organisation put under this kind of attack would have been breached. That is disturbing in itself but it points to the futility of conventional perimeter security in an era when the perimeter can be sitting inside the head of a single network user on a mobile device pondering their first cup of coffee for the day.
Dangerous times. Would we have done any better? Nobody said this would be easy.