For comedy publication The Onion, a recent cyber-attack by the Syrian Electronic Army (SEA) was no laughing matter.
The SEA managed to compromise The Onion’s Twitter account, plastering it with insults aimed at the United Nations, Israel, and Syrian rebels. “UN retracts report of Syrian chemical weapon use: ‘Lab tests confirm it is Jihadi body odor,’” read a typical (and perhaps one of the more printable) ones. When the Tweets appeared, some Onion Twitter-followers questioned whether the newspaper was playing some sort of elaborate meta-joke, perhaps riffing on a recent series of high-profile cyber attacks.
But the SEA was serious, and so was The Onion about flushing the attackers from its systems. In a new posting on theonion.github.io, the publication’s IT crew details exactly what happened. On May 3, attackers from the SEA fired off phishing emails to Onion employees, at least one of whom clicked on a malicious link.
“Once the attackers had access to one Onion employee’s account, they used that account to send the same email to more Onion staff at about 2:30 AM on Monday, May 6,” read the account. “Coming from a trusted address, many staff members clicked the link, but most refrained from entering their login credentials. Two staff members did enter their credentials, one of whom had access to all of our social media accounts.”
The Onion’s IT staff responded by shooting out a companywide email asking all employees to change passwords. But even as the password-reset was in progress, the attackers sent out a duplicate email “which included a link to the phishing page disguised as a password-reset link.” The attackers were smart enough not to send that email to anyone on the Onion’s IT or tech teams, which allowed it to compromise two more employee accounts before being discovered.
“In total, the attacker compromised at least 5 accounts,” the account concluded. “The attacker logged in to compromised accounts from 188.8.131.52 which is also where the SEA hosts a website.”
The Onion’s IT staff also offered up some helpful tips for avoiding—or at least mitigating—a similar attack on one’s own backend infrastructure. First, “make sure that your users are educated” to be suspicious of links that ask for logins or other personal data. Next, “email addresses for your Twitter accounts should be on a system that is isolated from your organization’s normal email.”
Third, the staff recommended filtering Twitter activity through an app such as HootSuite: “Restricting password-based access to your accounts prevents a hacker from taking total ownership.” Fourth, organizations should have a method for reaching out to users beyond organizational email.
Following the crisis, The Onion couldn’t resist swiping at its attackers. “Syrian Electronic Army Has a Little Fun Before Inevitable Upcoming Deaths at Hands of Rebels,” read the headline for a May 6 article that described a fictional massacre of the SEA in gruesome detail.
Image: The Onion