On Monday, January 12, 2015, hackers claiming loyalty to the Islamic State of Iraq and Syria (ISIS) compromised the Twitter account and YouTube channel of the United States Central Command (CENTCOM), whose military “Area of Responsibility” (AOR) includes the Middle East, North Africa, and Central Asia.
The Twitter account was compromised for about 30 minutes. The first fraudulent tweet was sent from @CENTCOM at 1245 EST: “American soldiers, we are coming, watch your back. ISIS.” The last tweet was sent at 1305. By 1310, Twitter had suspended the stolen account.
The attackers renamed the Twitter account “CyberCaliphate,” and added the tagline “i love you isis.” From the stolen account, they posted numerous threats, such as “We broke into your networks and personal devices and know everything about you. You’ll see no mercy infidels. ISIS is already here, we are in your PCs, in each military base.”
The attackers then disseminated information which they claimed was “classified” and stolen from CENTCOM, including names, phone numbers, and email addresses of military personnel, as well as various PowerPoint slides and maps. However, U.S. military officials and many online commentators contend that everything released so far appears to be unclassified and publicly available elsewhere on the Internet.
The CENTCOM Twitter account is now back online, less than 24 hours after the attack.
CENTCOM’s YouTube channel (https://www.youtube.com/user/centcom) was also compromised, from which the ISIS supporters posted two propaganda videos.
The YouTube account was suspended, but is also now back online
Currently, this incident appears to be more smoke than fire. There is no proof of a serious network compromise or even a minor data breach. Although the CENTCOM Twitter account was hacked, that is not tantamount to hacking CENTCOM itself.
The hackers appear to have had limited resources at their disposal, but used what they did have quickly, with a view toward gaining maximum publicity. We do not yet know how the hackers gained control of the Twitter and YouTube accounts in the first place, but the most likely way is via a stolen password, perhaps through a phishing scam or a brute-force attack against a web application.
White House spokesman Josh Earnest said that this incident pales in comparison to the recent cyber attack on Sony: “There’s a pretty significant difference between what is a large data breach and the hacking of a Twitter account.” Pentagon spokesman Col. Steve Warren stated that it was “little more than a prank … It in no way compromises our operations.”
However, an entirely dismissive response is dangerous. First, the attackers can and will claim tangible results. However briefly, they gained control of their enemy’s widely followed social media account, garnering enormous propaganda reach and causing serious embarrassment to the victim. They put their cause on the homepage of every major news organization in the world, simultaneously threatening the lives of U.S. military personnel and their family members.
It is also wise to consider what the attackers might have accomplished with a stealthier, more intelligence-focused strategy. They chose to create a media splash, but they could have behaved like many advanced, persistent hackers and simply waited to collect future insight on CENTCOM operations, or sought additional network credentials to enable lateral movement deeper into the CENTCOM network.
“Doxing” the Enemy
In cyber incidents like this, hackers try to “dox” their victims, which entails collecting as much personally identifiable, proprietary and/or sensitive information as possible, and posting it to the Internet for anyone to read.
A review of the documents released in this case reveals that the hackers almost certainly did not compromise the CENTCOM network, but merely posted data they found on other websites, to include random military-related information from educational institutions and think tanks, some pornography, and information marked “FOUO” or “For Official Use Only” – which is not classified confidential, secret, or top secret.
Some of the allegedly “secret” documents were in fact screenshots from the website of the Federation of American Scientists (http://fas.org/).
Watch the climate, not the weather
Another important aspect of the CENTCOM hack is to see that it may be part of a larger trend. It is likely that the same hacker group recently conducted two other similar attacks just last week, against the Albuquerque Journal, a newspaper in New Mexico, and WBOC TV, a television station in Salisbury, Maryland. All three attacks shared numerous characteristics, to include language use, political viewpoints, hashtags, a first tweet to #cybercaliphate, and quick data dumps to Pastebin (http://pastebin.com/). Although CENTCOM was able to quickly regain control of its sites, WBOC was not as well prepared – it took six days to win back its Twitter account.
Be careful out there!
Today, most cyber attacks include some level of targeting via social media. Over the past decade, network infrastructure security has been vastly upgraded. Therefore, hackers go after the weakest link in the “kill chain” – the end user, or human.
Unfortunately, defending your human assets is a challenging task. Computers do not love money, sex, or cute kittens – but humans do. The unpredictability and vulnerability of people make the social media space difficult to protect.
Good attackers have a plan, including a reconnaissance-informed target list and a proven kill chain methodology. We will not succeed in defending our networks unless we do the same. At the enterprise level, only a sound, coordinated strategy will work.
Proactively, it is critical to employ best practices in computer security, including the use of 2-factor authentication for any account that is worth protecting – and increasingly, that includes accounts in social media. However, it is still likely that one day, your organization will be “owned,” and when that happens, you must minimize the time from compromise to remediation.
How can ZeroFox help?
Social accounts need to be protected like any other high-value organizational asset. ZeroFox Enterprise enables organizations to lock down their social media accounts from attacks like this, be they cybervandalism or something far more malicious. Our approach is unique — monitoring your accounts from both inside and out. Our advanced analysis engines alert on anything suspicious, be it incoming or outgoing links or content, settings changes or suspicious profile activity. In addition, ZeroFox Enterprise gives security teams the ability to assess and visualize their social media risk, providing real-time organization-specific alerts to security teams.
This attack on CENTCOM is likely an act of cybervandalism, but it’s important to remember that it still bears a massive organizational cost. Even more important to remember: it’s preventable.