The homepage and some section fronts of Washington Post Mobile were hijacked on Thursday evening for a period of around 30 minutes, according to the Guardian. The attackers gained direct access to the systems controlling which content is displayed to users and exploited this to redirect visitors to their own servers.
The Washington Post quickly regained control of the site but not before users had been bombarded with messages criticising the U.S. government’s response to the issues in Syria. The paper’s chief information officer said in a statement: “The situation has been resolved and no customer information was impacted.”
The pop-up messages were displayed in JavaScript alert boxes rendered in the phone’s operating system interface. They included “The media is always lying,” “US govt is training the terrorist to kill more Syrians” and, simply, “You’ve been hacked by the Syrian Electronic Army.”
The state-sponsored group targets people critical of the Assad regime and has claimed responsibility for several major attacks in recent times. The collective’s official Twitter account quickly announced the hijacking of the Washington Post, saying that they wanted to “deliver a message”.
Motherboard analysed how the attacks were carried out and spoke to a member of the group known as Th3 Pr0. They attacked a content-delivery service (CDN) called Instart that the Washington Post uses to display its content to its visitors.
Th3 Pr0 told Motherboard that the group had been intending to hack the main Washington Post site alongside the mobile version but that Instart administrators were quick to take the control panel offline, preventing the Syrian Electronic Army from taking any further action.
