|IMAGE: MASHABLE COMPOSITE: ISTOCKPHOTO, SGC, SYRIAN ELECTRONIC ARMY|
One of the two main hackers of the infamous Syrian Electronic Army, only known as “Th3 Pr0,” was browsing Twitter on Thursday night, when he saw something he didn’t like.
It was a CNN story on a recent report that alleged Bashar al-Assad’s regime is guilty of “systematic torture and killing” of thousands of detainees. After reading the article, Th3 Pr0 sent a chat message to another prominent member of the Syrian Electronic Army at 10:26 p.m. Syria time (3:26 p.m. ET)
“Let’s hack the CNN and spread some truth,” Th3 Pr0 said he told fellow hacker “The Shadow.”
That’s when the Syrian Electronic Army’s operation to hack CNN began. A little bit more than three hours later at 1:48 a.m. Syria time, the two hackers sent their first fake tweet from CNN’s official Twitter account, which boasts more than 11.5 million followers.
That was soon followed by more fake tweets, some published from other CNN Twitter accounts, including @NatlSecurityCNN, @CNNSitRoom and @CNNPolitics. as well as CNN’s official Facebook page. The two even managed to post fake stories on CNN blogs, Security Clearance and Political Ticker.
With their quick hack, Th3 Pr0 and The Shadow added one more victim to a long list that includes major brands, such as the Associated Press, Microsoft and even The Onion.
How did the hackers get control of so many CNN social-media accounts? They mostly relied on their signature weapon: a well-crafted wave of phishing emails to CNN employees. Six of them,Mashable has learned, took the bait. But there was another twist: a type of malware that Th3 Pr0 and The Shadow claim gave them full access to their victims’ computers.
“It was a very theatrical and well-orchestrated event,” according to a source with knowledge of the attack. He said the emails were all written in good English, contained links that looked legitimate and appeared to come from real CNN email addresses.
One email asked recipients to update their Turner Broadcasting System password, while another asked them to update their Office 365 (CNN’s internal email system) password. A malicious links sent recipients to a fake version of this Office 365 login page, which the hackers designed specifically to steal employee credentials.
Prior to the hack, Th3 Pr0 and The Shadow already had a list of CNN employee emails to which they could send fake messages, the former said.
While several victims didn’t actually have access to social-media accounts, the hackers likely targeted them in hopes of using their email addresses as bait for other potential victims. After all, you’re more likely to click on a link if it comes from your colleague.
“Typically they have two targets: Targets that they use to pivot and send and broadcast, and other targets that they’re intending to own in order to pursue whatever their motivation is,” another source told Mashable.
One CNN employee fell for the first wave of phishing emails, revealing his password on the fake login page. Th3 Pr0 and The Shadow then had access to his Hootsuite account, which was linked to various CNN social-media accounts and even his CNN WordPress account. This breakthrough gave them the power to post on multiple Twitter accounts, and even publish fake news on CNN.com. Mashable has seen screenshots of the compromised accounts, and a source with knowledge of the attack confirmed they were legitimate.
After taking control of the passwords of six CNN employees, the hackers began sending a second wave of phishing emails, this time using the victims’ real email accounts. The emails warned of an attack, and asked recipients to change their passwords to avoid further hacks; it was a clever attempt to harvest more logins and passwords.
On their fake login page, Th3 Pr0 and The Shadow even embedded a piece of malware — similar to a Remote Access Tool — which let them take control of victims’ computers. In fact, the hackers still have access to all six CNN employees’ computers, Th3 Pr0 said.
Sources told Mashable that CNN did find some evidence of malware, and one malicious link in a phishing email prompted the download of an executable file, but it’s unclear what the malware actually did, or whether the hackers really still have access to the computers. Th3 Pr0 couldn’t provide definitive proof, but said they exploited a flaw he learned about when they hacked into several Microsoft employees’ email accounts.
Th3 Pr0 added that they exploited a vulnerability in Office 365 to get the malware on the victims’ computers. But this scenario, according to several security experts that Mashable consulted, sounds far-fetched — though it is possible.
“Never say never,” said Dave Lewis, a security advocate at Akamai Technologies.
Regardless, researchers say the SEA’s attack on CNN was highly effective, and that similar hacks will continue until employees learn to detect suspicious emails, avoid clicking on links without double-checking them first and never give up their credentials.
“People are the soft chewy center of the security landscape,” Lewis told Mashable.
“Fortifying the human element by cultivating a user base that recognizes malicious email is an important defense against the types of attacks the SEA has carried out with such success,” said Scott Greaux, vice-president of PhishMe, a firm that trains companies on how not to be fooled by phishing attacks.
Nobody knows the hackers’ true identities, but this time, they seem to have left traces behind.
When Th3 Pr0 and The Shadow had control over CNN’s social-media accounts, they made a Facebook password reset request tracing back to a Turkish IP address. What’s more, a phone number was added to one of CNN’s accounts, a source told Mashable. The number was registered to SyriaTel, which suggests the attackers are located in Syria, the source said.
However, Th3 Pr0 said the IP doesn’t mean anything since he and The Shadow use virtual private networks to mask their location when carrying out attacks. Th3 Pr0 also denied adding a Syrian phone number to a CNN account, although he said he does live in Syria.
CNN’s investigation into the breach is ongoing.