How The Syrian Electronic Army Tried to Hack Ira’s Presentation

As many people heard, the Syrian Electronic Army took exception to Ira Winkler’s RSA presentation disclosing their methods and how to prevent them. RSA Conference posted the video of the presentation. In response, the SEA apparently hacked the RSA Conference website, rsaconference.com. Here are the results of our investigation into how this occurred.

While the attack may seem advanced, it is a traditional, low tech attack by the SEA. While it demonstrates persistence, it does not demonstrate deep technical proficiency. To be clear, the RSA Conference site itself was not hacked. Additionally, Lucky Orange, which was essentially the attack vector, was also not hacked. It was a phishing attack against the staff of the Lucky Orange’s DNS hosting company, which fell victim to the attack. Note: Lucky Orange has since changed the company performing the DNS hosting.

How the “Hack” Occurred”

  1. When visitors to RSAConference.com with Javascript enabled visit the site, the site starts an analytics software tool, Lucky Orange.
  2. Lucky Orange then makes a call to a Javascript program on an external site at: http://w1.livestatserver.com/w.js
  3. The SEA figured out the DNS provider, however Lucky Orange had their DNS locked.
  4. The SEA searched LinkedIn and other resources, and found names of current and former employees of the DNS provider, and sent spearphishing messages to those individuals. They assumed the standard format of the email addresses. The spear phishing messages appeared to be from the CEO and claimed to contain a link to a BBC news story relevant to the company. Users who clicked on the message were prompted to log into their system, which was a user id and password capture screen.
  5. An account executive (AE) fell victim to the spear phishing attack. The attackers used the captured AE credentials to logon to their customer account management system, and then reset the Lucky Orange logon credentials. They then logged on to the control panel as the Lucky Orange staff.
  6. They reset the address of the “w1” subdomain of the livestatserver.com domain which sent calls to w1.livestatserver.com to a server controlled by the SEA. The result was that visitors to RSAConference.com, running javascript, would receive the following command:  window.location = “http://site.com/xxxx.png“; (Actual image redacted)
  7. That is the image file, that targeted Ira Winkler, that people saw when visiting the RSA Conference site if Javascript was enabled.
  8. Visitors to any website that also used the same analytics set from Lucky Orange, such as Memorybook.com, also received the image.

Conclusion

Yes, it was that simple and basic. It does demonstrate the important of ensuring the security of your third party providers. More analysis later.