US Government Website Defaced With Pro-Iran Message

Cybercrime , Cyberwarfare / Nation-State Attacks , Fraud Management & Cybercrime

DHS Sees No Signs Vandalism Is Linked to Iranian State-Sponsored Actors
US Government Website Defaced With Pro-Iran Message The U.S. Government Printing Office in Washington, which runs the Federal Depository Library Program (Source: U.S. Government via Wikipedia)

Hacktivists have long used website defacements to being attention to their causes. Breaking into a website, or seizing its domain name and redirecting the domain, is rarely a long-lasting attack, but it usually causes embarrassment, and, at a technical level, highlights gaps in website security.

See Also: Unlocking IAM – Balancing Frictionless Registration & Data Integrity

Such attacks are so frequent that most barely register attention. But one over the weekend stuck out: the website for the U.S. Federal Depository Library Program, which featured a doctored photo of President Donald Trump being punched in the face with an Iranian flag in the background.

The FDLP, which is designed to make federal documents available to the public, is part of the Government Publishing Office.

DHS: Not State-Sponsored

On Thursday, Trump authorized a missile attack, launched by a U.S. drone, to kill a top Iranian intelligence official, Maj. Gen. Qasem Soleimani, near Baghdad International Airport. The assassination of Suleimani immediately raised questions about how Iran might retaliate (see: US Conflict With Iran Sparks Cybersecurity Concern). Iran’s leadership has vowed it will retaliate.

Iran’s online attack capabilities are well developed, and using hack attacks avoids bullet-and-missile exchanges against the U.S., with many experts noting that Iran would be unlikely to win such a fight.

But Iran is no stranger to state-sanctioned hacking. The country’s government has been accused of green-lighting the malware attack against oil giant Saudi Aramco in 2012, which disabled tens of thousands of computers with the Shamoon “wiper” malware (see: DHS: Conflict With Iran Could Spur ‘Wiper’ Attacks).

The website of the Federal Depository Library Program was defaced over the weekend with a pro-Iran message.

The defacement of the Federal Depository Library Program, however, doesn’t appear to be the prelude to a larger cyber conflict, according to the U.S. Department of Homeland Security.

“We are aware the website of the Federal Depository Library Program was defaced with pro-Iranian, anti-US messaging,” a DHS spokesman says. “At this time, there is no confirmation that this was the action of Iranian state-sponsored actors.”

Theory: CMS Vulnerability

DHS says the website has been taken offline. Also, the U.S Cybersecurity and Infrastructure Security Agency is monitoring the situation.

CISA Director Christopher Krebs warned on Thursday that organizations should review guidance on Iranian cyber techniques, tactics and procedures, or TTPs. On Saturday, DHS warned that Iran has a “robust cyber program” and could carry out attacks against critical infrastructure that have temporarily disruptive effects.

There are signs that attackers defaced FDLP via a vulnerability in its content management system rather than a DNS hijack. In the latter, attackers gain control of an organization’s DNS settings and point the domain to an IP controlled by the attackers, which has their own content.

Iran has been previously tied to DNS hijacking. Cybersecurity firm FireEye warned about a year ago that a wave of DNS hijacking against governments, telecommunications firms and internet infrastructure companies had a strong nexus to Iran (see: DHS Issues More Urgent Warning on DNS Hijacking).

But the security researcher behind @TheCyberViking account on Twitter writes that the source code for the FDLP’s website shows that one of the images that is part of the defacement was hosted on FDLP’s domain. He writes that it’s possible access to the website was gained through a vulnerability in Joomla, a content management system.

Other clues also suggest a DNS hijack was not involved. @TheCyberViking writes that TLS certificate appeared to remain intact during the defacement, and also that DNS records don’t display any changes that would suggest it had been hijacked.

Regardless, security experts and government officials continue to warn that U.S. government agencies and businesses continue to face an escalated threat from online attacks launched by the government of Iran in retaliation for Soleimani’s assassination.

Executive Editor Mathew Schwartz contributed to this report.

Share this post

Share on facebook
Share on linkedin
Share on print
Share on email

Subscribe to our Monthly Cyber Security Digest

Get monthly content to keep you up to date on the latest news and tips