Microsoft: Targeted phishing attacks allowed SEA to steal law enforcement documents

Recall when SEA hackers vowed to publish proof of Microsoft 'spying'? Microsoft admitted that some employees were hit with targeted phishing attacks and that 'documents associated with law enforcement inquiries were stolen.'

Since the start of 2014, the Syrian Electronic Army (SEA) has twice attacked Microsoft, accusing the Redmond giant of helping the government spy on and monitor our email as well as warning people not to use Microsoft email like Hotmail or Outlook. The first hack was via all of Skype's social media accounts. In the second, the SEA took over verified Twitter accounts belonging to Microsoft News and Xbox Support, the official Microsoft blog on TechNet, and Microsoft's Instagram account. Now, Microsoft admitted that some employees' social media and email accounts were hit with targeted phishing attacks and "documents associated with law enforcement inquiries were stolen."

Adrienne Hall, General Manager, Trustworthy Computing Group, said:

While our investigation continues, we have learned that there was unauthorized access to certain employee email accounts, and information contained in those accounts could be disclosed. It appears that documents associated with law enforcement inquiries were stolen.

You may recall that the Syrian hackers promised to deliver the digital dirt on Microsoft spying on behalf of governments, vowing to publish documents proving that "Microsoft is monitoring emails accounts and selling the data for the American intelligence and other governments."

Previously, after both Microsoft-focused SEA hacks, Microsoft quickly issued statements denying that any customer information was compromised. After Skype regained control of its hijacked Twitter account, it tweeted:

After Microsoft was directly attacked, the company issued several statements, including, "Microsoft is aware of targeted cyberattacks that temporarily affected the Xbox Support and Microsoft News Twitter accounts. The accounts were quickly reset and we can confirm that no customer information was compromised."

However, on Friday, Microsoft's stated, "If we find that customer information related to those requests has been compromised, we will take appropriate action. Out of regard for the privacy of our employees and customers - as well as the sensitivity of law enforcement inquiries - we will not comment on the validity of any stolen emails or documents."

SEA strikes CNN with targeted phishing attacks

The day before Microsoft admitted that law enforcement documents were likely stolen, SEA struck again. This time, the hackers hijacked some of CNN's Twitter, Facebook and blog accounts. According to BuzzFeed, SEA sent out the following five tweets from @CNN:

CNN issued the statement: "The affected accounts included CNN's main Facebook account, CNN Politics' Facebook account and the Twitter pages for CNN and CNN's Security Clearance. Blogs for Political Ticker, The Lead, Security Clearance, The Situation Room and Crossfire were also hacked."

Like the attacks on Microsoft, SEA used phishing emails to gain control of the social media accounts, a wave of six phishing emails to CNN employees.  A "source with knowledge of the attack" told Mashable:

"It was a very theatrical and well-orchestrated event," according to a source with knowledge of the attack. He said the emails were all written in good English, contained links that looked legitimate and appeared to come from real CNN email addresses.

One email asked recipients to update their Turner Broadcasting System password, while another asked them to update their Office 365 (CNN's internal email system) password. A malicious links sent recipients to a fake version of this Office 365 login page, which the hackers designed specifically to steal employee credentials.

After one CNN employee took the bait and entered his password on a spoofed site, it gave SEA hackers "access to his Hootsuite account, which was linked to various CNN social-media accounts and even his CNN Wordpress account. This breakthrough gave them the power to post on multiple Twitter accounts, and even publish fake news on"

After taking control of the passwords of six CNN employees, the hackers began sending a second wave of phishing emails, this time using the victims' real email accounts. The emails warned of an attack, and asked recipients to change their passwords to avoid further hacks; it was a clever attempt to harvest more logins and passwords.

An SEA hacker going by the alias of Th3 Pr0 told Mashable that the hackers "exploited a vulnerability in Office 365 to get the malware on the victims' computers." There is thus far no evidence (that I know of) to support that claim, but it could have happened.

Like this? Here's more posts:

Follow me on Twitter @PrivacyFanatic

Copyright © 2014 IDG Communications, Inc.

22 cybersecurity myths organizations need to stop believing in 2022