Cybercrime , Cyberwarfare / Nation-State Attacks , Fraud Management & Cybercrime
US Government Website Defaced With Pro-Iran Message
DHS Sees No Signs Vandalism Is Linked to Iranian State-Sponsored ActorsHacktivists have long used website defacements to bring attention to their causes. Breaking into a website, or seizing its domain name and redirecting the domain, is rarely a long-lasting attack, but it usually causes embarrassment, and, at a technical level, highlights gaps in website security.
See Also: Best Practices to Protect Communication and Email Fraud with Technology
Such attacks are so frequent that most barely register attention. But one over the weekend stuck out: the website for the U.S. Federal Depository Library Program, which featured a doctored photo of President Donald Trump being punched in the face with an Iranian flag in the background.
The FDLP, which is designed to make federal documents available to the public, is part of the Government Publishing Office.
DHS: Not State-Sponsored
On Thursday, Trump authorized a missile attack, launched by a U.S. drone, to kill a top Iranian intelligence official, Maj. Gen. Qasem Soleimani, near Baghdad International Airport. The killing of Suleimani immediately raised questions about how Iran might retaliate (see: US Conflict With Iran Sparks Cybersecurity Concern). Iran’s leadership has vowed it will retaliate.
Iran’s online attack capabilities are well developed, and using hack attacks avoids bullet-and-missile exchanges against the U.S., with many experts noting that Iran would be unlikely to win such a fight.
But Iran is no stranger to state-sanctioned hacking. The country's government has been accused of green-lighting the malware attack against oil giant Saudi Aramco in 2012, which disabled tens of thousands of computers with the Shamoon “wiper” malware (see: DHS: Conflict With Iran Could Spur 'Wiper' Attacks).
The defacement of the Federal Depository Library Program, however, doesn’t appear to be the prelude to a larger cyber conflict, according to the U.S. Department of Homeland Security.
“We are aware the website of the Federal Depository Library Program was defaced with pro-Iranian, anti-US messaging,” a DHS spokesman says. “At this time, there is no confirmation that this was the action of Iranian state-sponsored actors.”
Theory: CMS Vulnerability
DHS says the website has been taken offline. Also, the U.S Cybersecurity and Infrastructure Security Agency is monitoring the situation.
CISA Director Christopher Krebs warned on Thursday that organizations should review guidance on Iranian cyber techniques, tactics and procedures, or TTPs. On Saturday, DHS warned that Iran has a “robust cyber program” and could carry out attacks against critical infrastructure that have temporarily disruptive effects.
There are signs that attackers defaced FDLP via a vulnerability in its content management system rather than a DNS hijack. In the latter, attackers gain control of an organization’s DNS settings and point the domain to an IP controlled by the attackers, which has their own content.
Iran has been previously tied to DNS hijacking. Cybersecurity firm FireEye warned about a year ago that a wave of DNS hijacking against governments, telecommunications firms and internet infrastructure companies had a strong nexus to Iran (see: DHS Issues More Urgent Warning on DNS Hijacking).
it was pointed out to me that the src could be hosted remote and if a domain takeover would happen it could be a remote file as was coded. As the SSL was still valid US Gov and checking DNS Records/History at the time didn't show any changes I would still be against a DNS theory pic.twitter.com/ssDusOwy7k
— CyberViking (@TheCyberViking) January 5, 2020
But the security researcher behind @TheCyberViking account on Twitter writes that the source code for the FDLP’s website shows that one of the images that is part of the defacement was hosted on FDLP’s domain. He writes that it’s possible access to the website was gained through a vulnerability in Joomla, a content management system.
Other clues also suggest a DNS hijack was not involved. @TheCyberViking writes that TLS certificate appeared to remain intact during the defacement, and also that DNS records don’t display any changes that would suggest it had been hijacked.
Regardless, security experts and government officials continue to warn that U.S. government agencies and businesses continue to face an escalated threat from online attacks launched by the government of Iran in retaliation for Soleimani's assassination.
Executive Editor Mathew Schwartz contributed to this report.