The Russian Ministry of Foreign Affairs’ website is normally a pretty sedate read.
Visitors see an imposing image of the Ministry’s famous Stalin-era Moscow headquarters below which usually run dry reports on the latest work of Russia’s foreign ministers and diplomats.
On Friday, things were unexpectedly different.
“Comrades! We interrupt regular scheduled Russian Foreign Affairs Website programming to bring you the following important message,” began a proclamation in English on the home page.
The message mentioned that day’s huge DDoS on DNS provider, Dyn:
It doesn’t matter whether it’s you and China, you and North Korea, or you and some random group calling themselves ‘New World Hacking’ – it’s still a pathetic flex.
Then, to the point:
Knock it off. You may be able to push around nations around you, but this is America. Nobody is impressed.
Now, get to your room. Before I lose my temper.
The “I” in this case is a hacker called Jester, aka the the “Batman of the internet”. According to the FBI, this is a figure previously blamed for attacks on sites that pushed anti-American Jihadist propaganda.
It’s the sort of prank defacement of an obscure government website that would barely be noticed on most days, but these are not most days.
The Russian Foreign Ministry was not amused but claimed the attack affected an old version of the official site.
Maria Zakharova of Russia’s Ministry of Foreign Affairs said in a Russian-language response on Facebook quoted by the International Business Times:
Specialists are working out what happened. If they establish there was hacking by Americans, even of a resource that wasn’t working, this is far from pleasant.
Zakharova added that, it is as if:
[A] cyber-machine of destruction has started acting.
Leaving aside the geopolitics of a self-styled US hacker attacking a Russian Government website (an entire topic these days) two intrigues emerge from the attack.
The first is that, surprisingly, website defacements still have currency.
Defacements are a basic kind of hack, often targeting weak logins or site vulnerabilities, that were all the rage about five or six years ago. Then, as the volume of defacements surged and security was tightened up, people stopped paying attention.
A notable exception to this rule was an attack by defacement specialists The Syrian Electronic Army (SEA) in late 2014 that managed to redirect hundreds of well-known websites after breaching DNS provider Gigya.
This wasn’t classic defacement but it performed the same function of hijacking trusted websites for propaganda purposes.
Friday’s attack perhaps marks the moment defacement as a way of attracting attention started working again. It could be timing – the US and Russia are at each other’s throats over numerous issues and old-fashioned symbolic slights are once again newsworthy.
The second is the Jester.
Attacks driven by the ideas and grudges of an individual (assuming Jester is an individual) willing to boast about his or her exploits aren’t common.
Jester was directly referenced in the US TV Show, Mr Robot, which follows the hacking exploits of a Jester-like character, Elliot Alderson. Being mentioned in hit TV show must feel like importance of zeitgeist-level proportions.
The entangling of real-world events with fiction sounds like poetic prophecy: nobody knows what is going on any more but we can always wait for the next episode to reveal a little more of an unsolvable mystery.
Sigh
Nothing was defaced. You guys should be embarrassed to be promoting this con artist.
Paul Ducklin
If I send someone to a URL that appears to be on your server, that shows up in the address bar as being on your server, and actually *IS* on your server, and your server sends back a page showing my modifications mixed in with your official content…
…then saying that’s not a defacement is like saying that I haven’t defaced your car if I slap a derogatory sticker on your windscreen instead of painting it on.
Apparently this was a cross-site scripting (or cross-site content injection) vulnerability that was exploited to trick the server into sending back compromised content. Insisting that this isn’t defacement sounda to me like saying than a program isn’t really malware if the user has to open an attachment first – a bit of a semantic dance that is cold comfort to the victim.
John E Dunn
I did consider this but it was impossible to tell at the time of writing (not helped by Russian Government rebuttals that weren’t translated).
But the point about defacement is not whether he broke into the CMS but that it appeared that he had. In terms of publicity and propaganda, perception becomes powerful.
Steve Peck
To Sigh: At least this “con artist” is doing something (ANYTHING)…. Obviously our government is incapable or unwilling to respond. Not a big fan of black hat, but in this case, KUDOS!
Anonymous
How do you know the government wasn’t a part of this?
no
Russia isn’t hacking anyone. We all know who this Jester tard is voting for.
John E Dunn
Update: it is now being reported that the defacement didn’t happen and was a clever illusion. Perception is becoming truth.
Mark Stockley
What they’re reporting is that Jester exploited a reflected XSS vulnerability in the website. To be clear what that means; for anyone who clicked on Jester’s link the website was defaced, for anyone who reached it by other means, it wasn’t. What Jester didn’t do was gain access to the web server.
Reflected XSS vulnerabilities can be very serious – they can be used to spread malware, harvest session cookies and conduct phishing attacks among other things.
Characterising this attack as an illusion on the grounds that it was a reflected XSS invites the perception that this was somehow not an attack or not serious and I don’t agree with either.