The false tweet said simply, “Breaking: Two Explosions in the White House and Barack Obama is injured”. This was at 1:07 pm on Tuesday. In the following six frantic minutes the DOW first nosedived almost 150 points before returning to something like normality by 1:13 pm when traders realized or were informed that it had been a hoax.
Shortly afterwards the Syrian Electronic Army (SEA – a pro-Assad hacking group) claimed responsibility: “Ops! @ap get owned by Syrian Electronic Army! #SEA #Syria #ByeByeObama twitter.com/Official_SEA6/…” That account, @Official_SEA6, has been suspended in what Sophos’ Graham Cluley has described as a Twitter/SEA ‘whack-a-mole’ game. He traced the game through various account names – Twitter suspends it, SEA opens a new one – as far as the suspension of ‘@Official_SEA5’. Now @Official_SEA6 is also suspended.
How the hack happened is still confused. According to the Enduring America website, the New York Times carried a story that included, “Shortly after the account was suspended, Mike Baker, a reporter for the news organization, posted a message saying that the attack may have originated with a spear-phishing campaign, in which attackers send a cleverly disguised e-mail from a friend, or work contact, that contains a malicious link or attachment.”
That has now been removed, and replaced with a brief comment, “An earlier version of this story incorrectly attributed a statement about a phishing attempt on The A.P.'s corporate e-mail system to a spokeswoman for the news organization. That person, an employee of The A.P., was not authorized to speak for the organization.” Commentators are now wondering, however, whether this implies that more than just the Twitter account was breached.
Rick Westmoreland, a security analyst with SilverSky, expands: “@MikeBakerAP tweeted ‘The @AP hack came less than an hour after some of us received an impressively disguised phishing email.’ They also found malware had infected some company computers,” he added. “While we’re not sure if the Twitter account compromise was due to phishing or not, the fact that they found malware means the machines were likely in a vulnerable state, making new attacks that much more successful.”
It is worth noting that if AP computers are breached (or the computers of any other Twitter user), then two-factor authentication would not necessarily have stopped the hack – malware planted on the computers would be able to subvert the process.
Sean Bodmer, chief researcher for CounterTack, puts the hack down to a retaliatory PsyOps operation. (If correct, the clear implication is that SEA is engaged in pure and simple cyberwarfare against the US.) “This is novel and cute,” he comments, “but more important, it is clearly a payback for the March 2013 PsyOps campaign against the Syrian people fighting the rebellion the United States is clearly supporting.” Almost exactly one month ago it was falsely reported that Assad had been shot by a bodyguard. JSS News stated, “According to reports in the Arab press (and then republished in the Israeli press), information that journalists say they have ‘verified’ the Syrian dictator Bashar al-Assad was killed this morning by one of his bodyguards.” This is the PsyOps operation against Bassad that Bodmer believes prompted the AP hack and tweet.