A group of hackers angered by PBS Frontline’s WikiLeaks documentary posted a fake news story onto the TV station’s Website and compromised servers and databases in revenge.
The group, The Lulz Boat, posted a story on the Public Broadcasting System Website that claimed Tupac Shakur was alive and well, residing in a small town in New Zealand 15 years after his death. The town was left unnamed for “security risks,” according to the story, which went viral within an hour of it being posted on May 29. PBS NewsHour’s spokesperson Teresa Gorman debunked the story on Twitter, reporting the site had been hacked.
The Lulz Boat, also known as LulzSec, were seeking retribution for the “WikiSecrets” documentary that aired on May 24. WikiSecrets profiled the alleged leaker Bradley Manning. WikiLeaks and its supporters claimed Frontline had cast the whistleblower site and its founder Julian Assange in an unflattering light.
“Greetings, Internets. We just finished watching WikiSecrets and were less than impressed,” The Lulz Boat said in a statement.
PBS confirmed its content management system had been hacked around 11:30pm, but defaced pages referencing Bradley Manning continued to appear in the early hours of Monday morning. NewsHour, Frontline and PBS “remain under attack by hackers,” PBS said May 30 on its Tumblr blog. While it attempted to restore normal service, the sites will publish on Tumblr, according to PBS.
Along with posting a fake news story on PBS.org, LulzSec published network, server and database details and login credentials on the text-sharing site Pastebin.
“We decided to sail our Lulz Boat over to the PBS servers for further… perusing,” The Lulz Boat said.
The group tweeted links of the internal IP addresses and name of PBS servers, caches of e-mail addresses and passwords belonging to 200 PBS affiliates, bloggers, and 1,500 reporters who’d signed up to access the pressroom for photos, clips and press releases.
“Anyway, say hello to the insides of the PBS servers, folks. They best watch where they’re sailing next time.”
LulzSec has gone after other organization in recent weeks, including the Fox News Network and Sony. They claimed no affiliation with the hacktivist group Anonymous.
A number of security experts had speculated that LulzSec used SQL injection and other widely available scanning tools to find vulnerabilities in PBS.org. In response, LulzSec posted on Pastebin that it used a zero-day exploit in the blogging platform Movable Type 4 to compromise Linux servers running outdated kernels. The administrative user accounts used the same passwords on multiple systems within PBS, LulzSec said.
We’ve seen a number of attacks recently where attackers compromised the network because administrators re-used the same password across multiple systems. Attackers are still finding servers running out-dated versions of the software. IT managers are still making the same mistakes.