Washington Post email system breached by Syrian Electronic Army phishing attack

Staff go into 'huddle'

A raid by the Syrian Electronic Army (SEA) on the Washington Post this week was aided by a successful phishing attack on the one of its journalists, the newspaper has confirmed. But how did the atttackers penetrate its defences?

According to the Post, the attackers gained access to the Twitter account of an unnamed journalist, using it to post pro-SEA messages in the rapid-fire style that has become the group's calling card in numerous other take-overs.

In addition, "for 30 minutes this morning [15 August], some articles on our web site were redirected to the Syrian Electronic Army's site," the paper said in a brief web statement, a compromise attributed to an attack on business partner, Outbrain.

However, an internal Post email published by security sleuth Brian Krebs (himself a former Washington Post staffer) explains that the SEA attack had earlier successfully hacked the email account of at least one journalist, sports writer Jason Reid.

Reid is said it have fallen for a phishing attack that spoofed the newspaper's Outlook Web Access email system on Monday 12 August. Armed with access to his account, the attackers then sent what appeared to be emails to other Washington Post journalists, almost certainly attaching keyloggers that would be used to capture new logins, including those for Twitter accounts.

"We've shut down Jason's account and told him he cannot use his laptop/account tonight." Read an internal email published on Krebs' site. "We'll huddle again Tue morning at 9.05am to provide latest updates, analysis and next steps," it continues.

The to-do checklist for management includes a note for one member of staff to speak to security forensics firm Mandiant, an outfit that made part of its name as the go-to during a wave of attacks on US news media - including the Washington Post - publicised in January this year.

"Other well-known Posties came close to be tricked by the phishing attack. One of those nearly-phished was veteran Post staffer Gene Weingarten, one of the Post's Pulitzer Prize winning editors and writers," noted Krebs.

"I was phished.one of four, but I never entered any creds. I'm stupid, but not THAT stupid," Weingarten told Krebs in an email.

The attack on The Washington Post was part of a larger SEA campaign this week that saw similar email and web assaults on a swathe of US media, including the New York Post, CNN, and Time.

Earlier in the year, Chinese hackers were accused by The New York Times of launching targeted attacks on them beginning in September 2012. Only days ago, security firm FireEye noticed that the backdoors used in those attacks had recently been updated to evade detection.

Join the CSO newsletter!

Error: Please check your email address.

Tags Personal Techsecuritywashington posttwitter

More about CNNFireEye

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by John E Dunn

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place