Inside the Syrian Electronic Army Washington Post Attack

NEWS ANALYSIS: An online group with ties to Syrian President Bashar al-Assad attacked The Post. What happened and how can enterprises avoid being victims of similar attacks?


The Washington Post reported Thursday, Aug. 15 that it had been the victim of an attack by a group known as the Syrian Electronic Army (SEA). The intrusion involved both a phishing attack against a staff writer's Twitter account as well as some Washington Post page redirections by way of an exploit of the Outbrain advertising and content discovery platform.

So what exactly is the SEA, and perhaps more importantly, what can and should publishers and enterprises do to protect themselves from being victims?

The SEA, which is aligned with Syrian President Bashar al-Assad, has a long history using various attack methods, said Jason Lancaster, senior intelligence analyst at Hewlett-Packard's Security Research division.

"The group's motivation, spreading pro-Assad messages, has not changed, but we have seen the volume of activity escalating over the past few months as well as the evolution of its tactics," Lancaster, who has been tracking the SEA's activities for years, told eWEEK.

In Lancaster's view, attacking Websites through third parties, as they have done in this attack with Outbrain, is part of this escalation of events.

"This is not a typical tactic used by the SEA but is something we have known the group is capable of for a while," Lancaster said.

The third-party attack—in which a widget from Outbrain, which was resident on The Washington Post Website, led to an unintended page redirection—is eerily reminiscent of an attack that WhiteHat security researchers described at the Black Hat conference at the end of July. In the WhiteHat research, JavaScript was inserted into ads and used to build a botnet. In The Post attack, an ad network (Outbrain) was also the conduit for attacking a site.

"This is an example of the power of the ad network when it comes to malware distribution," Matt Johansen, manager for the Threat Research Center at WhiteHat Security, told eWEEK. "Instead of buying an ad and then later tainting it, the attackers here went after the ad network portal itself via social engineering emails."

In the SEA case, once the attackers were in the ad network's admin panel, they had one of the world's most efficient and powerful distribution tools at their fingertips and they used it, Johansen said.

"Although we don't have firsthand knowledge of the malware, it doesn't seem to be using JavaScript like the botnet from our recent research," Johansen said. "It would appear to be a more traditional drive-by malware download via the malicious ad loading in the browser."

What The Washington Post Did Right

While the fact that The Washington Post was hacked is not a good thing, some positive lessons can be learned from the event.

The Washington Post had a strong security response plan and ultimately did a good job managing the issue, Kyle Adams, chief software architect for Junos WebApp Secure at Juniper Networks, told eWEEK.

"They reacted very quickly to mitigate the problem by identifying the issue, quickly mitigating future damage by blocking the threat and then were transparent about the incident," Adams said. "So, from my perspective, they did everything exactly as they should have."

Sean Michael Kerner

Sean Michael Kerner

Sean Michael Kerner is an Internet consultant, strategist, and contributor to several leading IT business web sites.