The corporate account for Reuters’ parent company was briefly suspended on Monday after a high-profile attack by the Syrian Electronic Army.
The attack was the group’s first such compromise of a Twitter account in nearly two months.
Pro-government editorial began moving on the @ThomsonReuters Twitter account shortly after 6:00 p.m. Monday. Two hackers with the SEA confirmed to The Desk during the attack that the group had compromised the account; the SEA would later claim responsibility for the attack publicly.
Five tweets were published on the @ThomsonReuters account before it was suspended. The account acts mostly as a “window shop” service for Thomson Reuters’ many editorial and intellectual property offerings; no editorial accounts belonging to Reuters News appeared to have been compromised as part of the attack.
The attack broke a two month dry spell for the SEA regarding attacks against the social media accounts of news organizations. In May, the group attacked a Twitter account belonging to a local branch of ITV News. That attack came days after Twitter introduced two-step authentication in an attempt to offer better security to its users.
A hacker with the SEA who provided a screen grab of Monday’s attack told The Desk that Thomson Reuters had enabled two-step authentication on its account. The hacker told The Desk that they “don’t want to cause problems for anyone, it’s not our target.”
The SEA hacker also supplied The Desk with an email message purporting to originate from the inbox of the employee that was phished. That employee, identified in the email as Joel Leeman, was told by another employee that the SEA can send “convincing” email messages “if it’s done well.” The employee told Leeman to “go home,” adding that there was “nothing more you can do tonight.”
Management at Thomson Reuters did not return an email seeking comment.
Reuters is no stranger to pro-government groups operating within Syria. Two Twitter accounts were compromised last summer after editorial staff at Reuters received several email messages with phishing links. The accounts moved pro-Syria messages for several hours before they were suspended.
Perhaps the most high-profile attack against Reuters came when pro-government factions operating within Syria targeted a vendor that served blogs for Reuters’ website. An internal investigation found that the vendor who operated Reuters’ weblogs failed to install security updates and the latest version of the WordPress blog software, which left the blog network vulnerable to an attack.