Anatomy of a state-sponsored phishing attack: how the Syrian Electronic Army hacked The Onion

As I blogged earlier this week, the Syrian Electronic Army hacked The Onion's Twitter account and used it to post a bunch of dumb messages attacking Israel, the US, and the UN. Now, the Onion's IT administrators have posted a detailed account of how Syrian hackers used a series of staged and careful phishing attacks to escalate from a single naive user's email credentials to the password for the Onion's social media accounts.

Once the attackers had access to one Onion employee’s account, they used that account to send the same email to more Onion staff at about 2:30 AM on Monday, May 6. Coming from a trusted address, many staff members clicked the link, but most refrained from entering their login credentials. Two staff members did enter their credentials, one of whom had access to all of our social media accounts.

After discovering that at least one account had been compromised, we sent a company-wide email to change email passwords immediately. The attacker used their access to a different, undiscovered compromised account to send a duplicate email which included a link to the phishing page disguised as a password-reset link. This dupe email was not sent to any member of the tech or IT teams, so it went undetected. This third and final phishing attack compromised at least 2 more accounts. One of these accounts was used to continue owning our Twitter account.

At this point the editorial staff began publishing articles inspired by the attack. The second article, Syrian Electronic Army Has A Little Fun Before Inevitable Upcoming Deaths At Hands Of Rebels, angered the attacker who then began posting editorial emails on their Twitter account. Once we discovered this, we decided that we could not know for sure which accounts had been compromised and forced a password reset on every staff member’s Google Apps account.

I'm impressed by the cleverness of triggering a "password reset" message from the IT team, then sending out fake password-reset messages to users who aren't on the IT team to get them to click on yet another link. Most of the recommendations the IT team make are pretty bland ("educate your users"), but these two reccos are good:

The email addresses for your twitter accounts should be on a system that is isolated from your organization’s normal email. This will make your Twitter accounts virtually invulnerable to phishing (providing that you’re using unique, strong passwords for every account).


If possible, have a way to reach out to all of your users outside of their organizational email. In the case of the Guardian hack, the SEA posted screenshots of multiple internal security emails, probably from a compromised email address that was overlooked.

How the Syrian Electronic Army Hacked The Onion (via /.)


    1. Vice has an interview with an alleged member of the SEA about the hack (google “Speaking with an Alleged Member of the SEA about Hacking The Onion’s Twitter Account”).

      Also, does anyone know the source of the “state-sponsored” in the headline? The SEA claims they’re not affiliated with the Syrian government so I’m wondering what bb is using as the source for that claim.

      1. In June 2011, just a few short months after protests first erupted in Syria, the country’s president, Bashar Al-Assad, made a speech in which he thanked a group called the “Syrian Electronic Army” (SEA). Calling it a “virtual army in cyberspace,” Al-Assad praised the group for its effort in trying to shape the Syrian narrative.

        If the unpopular president is thanking your group publicly you can guarantee it’s either already or soon-to-become state sponsored.

  1. I saw something about this, but I thought it was just — you know, The Onion.

    If the Syrian Real Army were as good at picking targets as the Syrian Electronic Army, the rebels would have very little to worry about.

  2. I still call shenanigans. Hacking a humor site is a bit like assaulting a masochist. All that scheming and no goal? I suppose this could have been a “dress rehearsal” for some bigger, more significant hack, but so far the net result here is that The Onion has drawn more attention to itself.

    1. This is true, but at the same time your average terrorists, or lackeys of a despot or what have you, very often don’t seem to get the purpose of humor at all.

  3. So the Moral Of The Story is to have a “honey-pot” email account that seems to be that of an ordinary user but is secretly funnelled off to someone in IT security.

  4. I may be missing something here, but how did they distinguish from the it sec and the others who got phished? Was it just social engineering?

  5. Seems like the Onion would be a good organization to practice on before a real attack.

  6. Oh man I heart the onion. This is clearly what pissed off the Syrian Eunuch Association:,31805/

    Apparently the Syrian Eunuch Association called off their hack on The Onion:,32327/

    “Look, when the Syrian Electronic Army hacks into a website, we want users to immediately see our message that Zionist-controlled interests are distorting the facts that come out of Syria, not a bunch of huge, constantly looping ads for God knows what that assault the senses and literally leave you nauseated. And when we looked at the layout of The Onion’s homepage, we immediately realized the huge mistake we’d made.”

    Oh and fuck you SEA – come get me bro. Show your 1337 skills. Your dear leader al-Asshole is soon going to be a corpse.

Comments are closed.