Game of Pwns: Syrian Electronic Army and Information Warfare
The Syrian Electronic Army has claimed another victory by defacing the Financial Times website as well as several Twitter accounts run by the news organization.
The group has had a run of luck recently with the compromise of the Associated Press Twitter account, where they tweeted a false story about President Barack Obama being injured and hacking of spoof news site The Onion’s Twitter account. They have also successfully targeted the BBC, Orient TV, al-Arabia TV, NPR and Human Rights Watch amongst others.
The number of high profile Twitter accounts used by the press to disseminate information to the public has revealed a serious issue with Twitter security. Even before these breaches there has been a cry from the public to provide additional security layers such as two factor authentication to the platform.
Although it appears that Twitter is working on a solution, it could not come soon enough. It is no longer just about brands and celebrities needing to protect their reputation.
Now groups and governments with hostile intent are hijacking Twitter accounts and defacing websites as a means of information warfare. It is not only about spreading misinformation and propaganda, but the also the act of revealing vulnerabilities making us seem weak which has an effect on national consciousness making the general public feel insecure and lack confidence in companies and our government to secure our cyber assets.
Although the outcome of these attacks is usually just an inconvenience, the fact that the Associated Press false Twitter account about the President being attacked had an effect on the stock market reveals the potential for a broader impact.
To make matters worse the recent news that the U.S. Government is tracking phone records of reporters as a means to identify the source of leaks within the government, indicating that some of these news organizations have access to confidential information that could affect national security raises the risks substantially.
The bulk of the attacks against these organizations have not been particularly sophisticated, most leverage spear-phishing techniques and utilize social engineering tactics to enter credentials for social media accounts. Do these groups have the capability to take advantage of more sophisticated? Probably.
However, when an attacker gains access to a high value target they are less likely to announce it like you would a website defacement or Twitter account take over, instead they will try to hold their unauthorized access and use it as a foot hold to gain broader access or keep it in their back pocket for later.