But it was a close call for the NYT. The Post hack happened after SEA first hacked Outbrain (a content recommendation service). SEA even posted screenshots on its website to demonstrate – and based on these, Graham Cluley comments, "Just a few minutes more and it seems clear that the New York Times would have also been hit."
The Post statement gives few details about its own breach. First it states that SEA "subjected Post newsroom employees to a sophisticated phishing attack to gain password information." Then it adds, "For 30 minutes this morning, some articles on our web site were redirected to the Syrian Electronic Army’s site." And finally it adds, "we believe there are no other issues affecting The Post site.”
Precisely what happened is not yet clear. However, it seems certain that the phishing attacks pre-dated the website breach by a couple of days. Brian Krebs – who was once on the Post's staff – provides more information.
"According to sources," he reports, "Post sports writer Jason Reid was among those who fell for a phishing scam that spoofed The Posts’s internal Outlook Web Access email portal. Reid’s hacked email account was then used to send additional — likely malware-laced — phishing emails to other newsroom employees."
Reid wasn't the only target. Pullitzer Prize-winner Gene Weingarten told Krebs, "I was phished….one of four, but I never entered any creds. I’m stupid, but not THAT stupid.”
What isn't yet clear is whether it was this successful phishing that enabled SEA to gain access to Outbrain. E Hacking News comments, "hacker said that the admin panel of Outbrain is hosted in the local server. However, they managed to login into the panel with the help of VPN and access panel." This would certainly be made easier with knowledge of access/VPN passwords.
Whatever the precise chronology, and whether or not there is any connection between the two SEA campaigns, it seems clear that it ultimately comes down to phishing for passwords. Cluley believes they are two separate incidents. "In Outbrain’s case, an email purported to be from the CEO was able to trick at least one employee into entering their password and gave the hackers access to Outbrain’s internal email system," he writes. "From there they were able to steal more credentials that gave them access to admin panels."
So it's ultimately down to how users choose and use their passwords. Bill Walker, technical director at QA, warns, “Password security should be on the minds of each and everyone of us... We can all employ the toughest firewalls and web filters but in the end it comes down to us as individuals."
Barry Shteiman, senior security strategist at Imperva, sees the multiple hacks as further proof of the need for information sharing. "If one of those companies shared their threat intelligence on the attack and its characteristics in advance," he explains, "the others could have been prepared in advance."
But Darien Kindlund, threat intelligence manager at FireEye, feels we shouldn't just complacently assume that this is another harmless hacktivist attack. Just as DDoS is sometimes used as a smoke-screen, so could SEA use hacktivism to disguise deeper intent. "It is possible that the SEA wants to monitor Washington Post stories on Syria as China wanted to spy on the New York Times," he warns. "There are certainly some people inside the Syrian government who would like to have access to such information.”