Around 11am on Tuesday, journalists at the Maryland CBS affiliate WBOC noticed that their Twitter password had been changed. Employees watched, powerless, as a string of militant tweets were blasted to the station’s 18,000 followers. A half-hour later, photos declaring support for the Islamic State in Iraq and Syria began appearing on their website’s homepage.
“INFIDELS, NEW YEAR WILL MAKE YOU SUFFER,” read one tweet by the digital attacker, which labeled itself the “CyberCaliphate.” WBOC soon contacted Twitter and local authorities, and the anonymous actor shared information claimed to be stolen from the FBI. Though WBOC’s internal servers were not compromised in the attack, wrestling back control of its website took hours. Its Twitter account, meanwhile, still displayed images posted by the CyberCaliphate as of Wednesday afternoon.
“We’re pretty sure they got in using the login and password of one of our members in the news department,” station general manager Craig Jahelka told Maryland radio station WGMD. “We’re not sure how they got it, but when they got in they somehow managed to figure out two other employees’ log-ins and passwords.” Jahelka declined CJR’s request for comment.
WBOC wasn’t alone in falling victim to a cyberattack on Tuesday. The Facebook and Twitter accounts of the Albuquerque Journal were also commandeered by the CyberCaliphate. Internal servers at the newspaper, which faced a similar attack in December, were not hacked, it said in a statement. But the perpetrators shared Islamist propaganda, along with information purportedly derived from confidential federal documents, before the newspaper regained control of its profiles.
An FBI representative told CJR that “we are aware of the reports and looking into it.” Representatives for Twitter and Facebook declined to comment. No one contacted for this article could shed light on why these local news organizations were targeted.
The cyberattacks are the latest evidence of a growing threat to news organizations’ digital security, a threat that many outlets have only recently begun to take seriously. Cash-strapped newsrooms often lack the resources to implement security measures and conduct employee training programs. Individual journalists, meanwhile, may perceive high barriers to entry when it comes to protecting their digital information. But the conversation surrounding such initiatives has crescendoed in wake of revelations about government surveillance programs in recent years, thanks largely to secure communications between journalists and former National Security Agency contractor Edward Snowden.
“Some organizations, especially those working with the Snowden documents, put the resources together to keep those documents safe,” said Jenn Henrichsen, a technologist at the Reporters Committee for Freedom of the Press. “But in general, news organizations are still waking up to this. And maybe they’re at a loss of where to start.”
National and international news organizations have been quicker to employ complex defense systems, as they not only boast more cash, but also are bigger targets. The pro-Bashar al Assad Syrian Electronic Army brought down The New York Times’ website in 2013, the same year it briefly took control of the Associated Press’ Twitter account. The one tweet the non-state hacking collective managed to share — alerting followers of a faux explosion at the White House — caused the Dow Jones Industrial Average to nosedive about 150 points in two minutes. What’s more, research by Google security experts last year found that 21 of the world’s 25 most popular media outlets have been targeted by state-sponsored hacking attempts.
“The ones of that top 25 that were not found to be targeted by people mainly had a focus on sports and entertainment, unsurprisingly,” Morgan Marquis-Boire, who co-authored the research, said at a November panel in Washington. He now heads digital security at First Look Media.
“We need to not think of these as isolated events,” he added. “This is reasonably continuous. It’s merely the discovery of these actors that are isolated events, and that’s the scary thing.”
Many cyber attacks come in the most mundane of forms, said Kevin Gallagher, a systems administrator at the Freedom of the Press Foundation. Foremost among them is phishing, a tactic in which attackers trick users into revealing sensitive information, usually with a link in a seemingly normal email.
“They’re very easy to do, though only a certain percentage of them are effective,” said Gallagher, whose organization is one of several trying to educate journalists about security. “So typically it’s deployed widely. These things are frequently well-crafted and disguised to look like something else. People fall for it.”
The Albuquerque Journal’s social media account takeovers appear to stem from such an attack, according to Monty Midyette, IT director for the Albuquerque Publishing Company, which prints the paper. “Any accesses were done via user ID and password,” he said in an email, adding, “from what we see our security measures held up, none of our systems were hacked that we have been able to detect.”
Journal Editor Kent Walz directed CJR’s questions to the news organization’s IT department, though he summed up the situation in a brief email: “Interesting times.”