Cybercrime , Cyberwarfare / Nation-State Attacks , Fraud Management & Cybercrime

US Government Website Defaced With Pro-Iran Message

DHS Sees No Signs Vandalism Is Linked to Iranian State-Sponsored Actors
US Government Website Defaced With Pro-Iran Message
The U.S. Government Printing Office in Washington, which runs the Federal Depository Library Program (Source: U.S. Government via Wikipedia)

Hacktivists have long used website defacements to bring attention to their causes. Breaking into a website, or seizing its domain name and redirecting the domain, is rarely a long-lasting attack, but it usually causes embarrassment, and, at a technical level, highlights gaps in website security.

See Also: Live Webinar | How to Identify & Address Risk with Attack Simulation

Such attacks are so frequent that most barely register attention. But one over the weekend stuck out: the website for the U.S. Federal Depository Library Program, which featured a doctored photo of President Donald Trump being punched in the face with an Iranian flag in the background.

The FDLP, which is designed to make federal documents available to the public, is part of the Government Publishing Office.

DHS: Not State-Sponsored

On Thursday, Trump authorized a missile attack, launched by a U.S. drone, to kill a top Iranian intelligence official, Maj. Gen. Qasem Soleimani, near Baghdad International Airport. The killing of Suleimani immediately raised questions about how Iran might retaliate (see: US Conflict With Iran Sparks Cybersecurity Concern). Iran's leadership has vowed it will retaliate.

Iran's online attack capabilities are well developed, and using hack attacks avoids bullet-and-missile exchanges against the U.S., with many experts noting that Iran would be unlikely to win such a fight.

But Iran is no stranger to state-sanctioned hacking. The country's government has been accused of green-lighting the malware attack against oil giant Saudi Aramco in 2012, which disabled tens of thousands of computers with the Shamoon "wiper" malware (see: DHS: Conflict With Iran Could Spur 'Wiper' Attacks).

The website of the Federal Depository Library Program was defaced over the weekend with a pro-Iran message.

The defacement of the Federal Depository Library Program, however, doesn't appear to be the prelude to a larger cyber conflict, according to the U.S. Department of Homeland Security.

"We are aware the website of the Federal Depository Library Program was defaced with pro-Iranian, anti-US messaging," a DHS spokesman says. "At this time, there is no confirmation that this was the action of Iranian state-sponsored actors."

Theory: CMS Vulnerability

DHS says the website has been taken offline. Also, the U.S Cybersecurity and Infrastructure Security Agency is monitoring the situation.

CISA Director Christopher Krebs warned on Thursday that organizations should review guidance on Iranian cyber techniques, tactics and procedures, or TTPs. On Saturday, DHS warned that Iran has a "robust cyber program" and could carry out attacks against critical infrastructure that have temporarily disruptive effects.

There are signs that attackers defaced FDLP via a vulnerability in its content management system rather than a DNS hijack. In the latter, attackers gain control of an organization's DNS settings and point the domain to an IP controlled by the attackers, which has their own content.

Iran has been previously tied to DNS hijacking. Cybersecurity firm FireEye warned about a year ago that a wave of DNS hijacking against governments, telecommunications firms and internet infrastructure companies had a strong nexus to Iran (see: DHS Issues More Urgent Warning on DNS Hijacking).

But the security researcher behind @TheCyberViking account on Twitter writes that the source code for the FDLP's website shows that one of the images that is part of the defacement was hosted on FDLP's domain. He writes that it's possible access to the website was gained through a vulnerability in Joomla, a content management system.

Other clues also suggest a DNS hijack was not involved. @TheCyberViking writes that TLS certificate appeared to remain intact during the defacement, and also that DNS records don't display any changes that would suggest it had been hijacked.

Regardless, security experts and government officials continue to warn that U.S. government agencies and businesses continue to face an escalated threat from online attacks launched by the government of Iran in retaliation for Soleimani's assassination.

Executive Editor Mathew Schwartz contributed to this report.


About the Author

Jeremy Kirk

Jeremy Kirk

Managing Editor, Security and Technology, ISMG

Kirk is a veteran journalist who has reported from more than a dozen countries. Based in Sydney, he is Managing Editor for Security and Technology for Information Security Media Group. Prior to ISMG, he worked from London and Sydney covering computer security and privacy for International Data Group. Further back, he covered military affairs from Seoul, South Korea, and general assignment news for his hometown paper in Illinois.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing govinfosecurity.com, you agree to our use of cookies.