Full Report
A number of seemingly unconnected Western websites were hacked over the weekend, with messages claiming Islamic State as the perpetrator.
Analysis Summary
# Incident Report: Website Defacements Claiming ISIS Affiliation
## Executive Summary
Various seemingly unconnected Western websites were defaced over a weekend in March 2015, showing an ISIS flag and Arabic audio, purportedly claiming responsibility from the Islamic State. The FBI initiated an investigation, but security analysts expressed skepticism regarding a genuine link to ISIS, suggesting the attackers were likely ordinary hackers seeking media attention. No data exfiltration was suspected.
## Incident Details
- Discovery Date: Weekend of March 7-8, 2015 (Implied/Reported)
- Incident Date: Weekend prior to March 9, 2015
- Affected Organization: Diverse Western websites (e.g., Dublin Rape Crisis Centre, Eldora Speedway, MERS Goodwill, Elasticity, Moerlein Lager House, Sequoia Park Zoo, churches, bars)
- Sector: Non-profit, Entertainment, Retail, Digital Agency, Hospitality, Religious
- Geography: Unspecified, but included US locations (Missouri, Ohio, Massachusetts, Minnesota, Montana mentioned in supporting reports).
## Timeline of Events
### Initial Access
- Date/Time: Weekend prior to March 9, 2015
- Vector: Website Defacement (Specific technical vector not detailed)
- Details: Attackers gained access to compromise website templates or index pages.
### Lateral Movement
- Not applicable/Not reported. The attack appears limited to page defacement.
### Data Exfiltration/Impact
- Impact: Websites displayed a black ISIS flag with the message "Hacked by ISIS, we are everywhere," accompanied by a flash audio plug-in playing music in Arabic.
- Data Stolen: Authorities do not believe any data was stolen.
### Detection & Response
- Detection: Websites displayed the defacement messages publicly over the weekend.
- Response Actions: The FBI became aware and began contacting impacted parties involved in the reported incidents.
## Attack Methodology
- Initial Access: Website Compromise (Likely exploiting known vulnerabilities or weak configurations for page modification).
- Persistence: Not applicable or not detailed (Focus was on immediate defacement).
- Privilege Escalation: Not detailed.
- Defense Evasion: Utilizing a high-profile, controversial group association (ISIS) to generate media coverage.
- Credential Access: Not detailed.
- Discovery: Not detailed.
- Lateral Movement: Not detailed.
- Collection: Not detailed.
- Exfiltration: None reported.
- Impact: Reputation damage and display of unauthorized content (Defacement).
## Impact Assessment
- Financial: Not estimated, but potential costs related to remediation and incident response for multiple organizations.
- Data Breach: None believed to have occurred.
- Operational: Minor disruption due to website downtime or content modification requiring restoration.
- Reputational: Damage associated with the high-profile and controversial nature of the claimed affiliation.
## Indicators of Compromise
- Network Indicators: Not publicly disclosed/Defanged.
- File Indicators: Modified website files resulting in the display of the defacement page/flash content.
- Behavioral Indicators: Unauthorized modification of public-facing web pages, playback of an embedded audio file.
## Response Actions
- Containment measures: Undetermined, likely involved taking affected sites offline or restoring previous versions of web pages.
- Eradication steps: Undetermined, but would involve removing unauthorized files and closing the vulnerability exploited for the defacement.
- Recovery actions: Restoring impacted websites to their last known good state.
## Lessons Learned
- Security analysts suggest that high-profile claims, especially involving terror groups, should be treated with initial skepticism in the absence of immediate verification, as they are often used by ordinary hackers for attention.
- Diverse, unrelated organizations can be targeted simultaneously in generalized campaigns.
## Recommendations
- Organizations should regularly patch web servers and application software to prevent common exploitation vectors suitable for website defacement.
- Implement strict monitoring and alerting for unauthorized changes to public-facing web application files (File Integrity Monitoring).
- Review third-party plugins (like the reported flash audio plug-in) for security vulnerabilities if they are found to be present during an incident.