Hijackers deface 800 school websites with pro-Islamic State messages

Early Monday morning, the websites for about 800 US schools and school districts were hijacked and replaced with an image of Saddam Hussein on a black background, a recruitment video in Arabic and the statement “I Love Islamic State” in English, according Jim Brogan, director of technology services for schools in Gloucester County, Virginia.

This should all ring a bell, given that hackers going by the same name have been more or less making the same defacements for years. Namely, a photo of Hussein accompanied by an Arabic message seen on an IS flag that reportedly reads “There is no god but Allah” and “Mohammed is the Messenger of God.”

According to the International Business Times, the web hosting company that services the sites – SchoolDesk, in Atlanta – confirmed the attack and said that a group going by the name “Team System DZ” claimed responsibility.

SchoolDesk’s statement:

Our technical staff discovered that a small file had been injected into the root of one of the SchoolDesk websites, redirecting approximately 800 school and district websites to an iFramed YouTube page containing an audible Arabic message, unknown writing and a picture of Saddam Hussein.

SchoolDesk said that it’s enlisted an outside security firm and is actively working with various local, state and federal law enforcement agencies, including the FBI.

Hackers using the name Team System DZ have pulled similar stunts in the past. The group, which was credited in the message displayed on the affected school sites, is associated with an account that boasted of breaching Zone-H: an archive of defaced websites where users can upload evidence of their online vandalism.

Zone-H classifies the hackers as a group of “anti-Israeli Arab teenagers,” according to a 2015 report from USA Today that screams of deja vu. In January 2015, the official website for the government of Isle of Wight County in, once again, Virginia, was hacked by a group calling itself Team System DZ, its website littered with propaganda videos, messages supporting IS, and an English message stating that “I love isis.”

They don’t change up that valentine very much: when hackers using the same name defaced the home page of the West Yorkshire Rugby League club’s Keighley Cougars in 2014, they put up a black screen that read “Hacked By Team System DZ” at the top and the message: “I love you isis”.

As the Washington Times reports, the group has taken credit for pro-IS defacements allegedly affecting hundreds of other targets, including companies, non-profit organizations and federal agencies, ranging from an Alabama gasket installer to the National Oceanic and Atmospheric Administration (NOAA). It’s also targeted websites running the same or similar versions of vulnerable applications, the newspaper reports, including a mass hacking campaign in June that affected government agencies in several states, including the Los Angeles Board of Supervisors and the office of Ohio Gov. John Kasich.

As far as the School Desk sites go, they were down for about five hours – between 2 am and 7 am – before School Desk fixed the problem. No Gloucester student records or other data was breached, Brogan said, given that such information is kept separate from the school’s site.

What to do?

If you run a website, regardless of its being politically oriented or completely apolitical, make sure you do everything you can to keep it as secure as possible.

Defacing a site isn’t rocket science. But, fortunately, neither is protecting a website from opportunistic vandals. SophosLabs has a paper that can help: “Securing websites”.

Another recent story about hackers hacking a hacking site gave us an opportunity to pass along a few obvious precautions you can take for your own online service:

  • Patch promptly. If the crooks know what server software version you’re using, and it has a known security hole, they may be able to break in automatically. In other words, if you haven’t patched, you’re the low-hanging fruit.
  • Choose decent passwords. If the crooks can guess your password, or if you used the same password on another site that already got hacked, then the crooks don’t need to do any hacking themselves – they can just login directly.
  • Use two-factor authentication (2FA). A one-time code that changes every time you login means that just guessing or stealing your password isn’t enough. If the code is calculated on or sent to your phone, then the crooks need your phone (and its unlock code) as well, which is a higher bar to jump over.
  • Check your logs. If you keep logfiles for auditing purposes – for example, so you can check who logged in when – examine them proactively in order to find security anomalies sooner rather than later.