Website Defacement – What You Need to Know

This week, Charlie discusses website defacement and how to respond to it, and looks into some of the reasons why this type of cyber attack occurs.

In the Live Online BCT Certificate in Cyber Incident Management (NCSC Assured Training) course I teach, we discuss various types of cyber attacks, and one of the types of attacks I cover is website defacement. So I thought for the bulletin this week, I would share some insights on the subject.

What is it?

I looked at a number of definitions, but I thought this was the clearest: ‘Web defacement is an attack in which malicious parties penetrate a website and replace content on the site with their own messages. The messages can convey a political or religious message, profanity, or other inappropriate content that would embarrass website owners, or a notice that the website has been hacked by a specific hacker group.’[1] This very much describes what occurs when a website has its content changed for various reasons. One of the other differences between this and many other cyber attacks is that on the whole, there is rarely a financial motive involved.

Websites are not the only media that can get hacked and display different content. Social media accounts can be taken over, either having their backgrounds changed to display a different message or posting the hacker’s content. TV and radio channels can also be hacked to display the hacker’s contents. A good example of this is the hack by pro-Ukrainian hackers, which hacked into Crimean TV channels and replaced their content with a speech by President Volodymyr Zelensky, vowing to liberate the peninsula. They also renamed all the channels “Putin is a di**head”.

Who is doing this and why are they doing it?

There are lots of different motivations for carrying out defacement and different groups carrying this out:

1. ‘For fun’
   
   Some of the defacers just do it for the same reasons as graffiti artists. They want people to see their tag, they have bragging rights for the sites, they boost their self-esteem purely for the thrill of doing it. They may also be showing off their skills or trying to position themselves for hire as a website security person. An example of this occurred in 2018 when the NHS (National Health Service) website hosting data from patient surveys operated was defaced by unknown attackers (See Figure 1). There appears, upon inspection, to be no political or hacktivist motivation for this defacement.
   
2. Patriotism
   
   Many website defacements are driven by a patriotic cause. Many incidents occur very shortly after interstate conflict. This can be caused by governments such as the hacking and destruction of Ukrainian government websites by alleged Russian state hackers, to supporters of Hamas and Palestinian causes immediately after the attack on Israel in October 2023. The attacks started within hours of the 7th October attack, and many of them were not against Israeli government sites, but rather targeted businesses alongside several Israeli government sites, such as a housing association, a large public college, and a subdomain of the Israeli Defence Forces. Ongoing defacement of Indian and Pakistani business websites has taken place, carried out by both Indian and Pakistani hacktivists in response to the ongoing Kashmir conflict.
   
3. Internal conflicts
   
   There was a defacement of 40 Indonesian websites in September 1998 which displayed ‘Free East Timor’ and contained links to other websites that described human rights abuses by the governing power at the time, the Indonesian government. The defacement of a number of US government websites in 2020 by two Iranian hackers posted various images of the late Iranian military general Qasem Soleimani, along with messages against the US government and also offensive images of the then-current US President, Donald Trump[2] . These messages were then posted on The Best Of Minneapolis and the US Library Program website.
   
4. Activism or support of a cause
   
   The hacktivist group, Anonymous, defaced 500 Chinese websites in reaction to censorship by the Chinese government. On the defaced pages, they wrote: ‘Chinese People, your government controls the internet in your country and strives to filter what it considers a threat for it. Be careful. Use a VPN for your own security. Or Tor.’ Alongside pro-Hamas and pro-Israeli hacktivists attacking Israeli and Hamas websites, hackers from other nations have joined in attacks. Russian and Iranian hacktivists also targeted Israeli government sites, while Indian hacktivists attacked Hamas websites in support of Israel. Former President Trump’s personal website was defaced by hackers who disagreed with his politics. One of the earliest defacements was against the US Department of Justice and the newly passed Communications Decency Act (CDA), where hacktivists posted text saying ‘Department of Injustice’ and showed pornographic images. In my research, I couldn’t find a reference to climate change protesters using defacement as a weapon against what they believe are polluting companies.
   
5. To shame or embarrass the website owner
   
   This could be to shame the site’s owner if they don’t have effective security in place. It could also be an act of revenge if, for example, an organisation’s former website administrator is sacked and they carry out a revenge attack, or if a third admin of a website has not been paid. In 2020, the Spanish Presidency website, eu2010.es, was hacked and defaced by hackers (see Figure 2). Although the entire site remained functional, the image of Spanish Prime Minister José Luis Rodriguez Zapatero was replaced with that of comedian Rowan Atkinson, known for his role as Mr. Bean. The motive behind such website defacement was simply to mock and embarrass Mr. Zapatero.
   

What is the impact?

The impact of website defacement is rarely long-lasting, except where the website delivers e-commerce or e-government. If these websites are destroyed and replaced by a defaced site, then the impact can be long-lasting to rebuild the site and restore its functionality. Data could be lost in this type of attack. The main impacts of website defacement are as follows:

1. Shame and embarrassment to the website owner
2. Loss of confidence and trust in the organisation, their brand, and their ability to secure their IT assets
3. Put in the mind of their stakeholders that this could be part of a wider cyber attack leading to a lack of confidence in the organisation
4. If the site is an e-commerce site, the cost of downtime and restoring the system
5. Loss of SEO ranking; defacement can negatively impact your website’s SEO ranking as Google may flag it as a security risk and lower its ranking in search results
6. Scare and unnerve opponents in the support of a cause
7. If illegal content such as child pornography or hate speech is included as part of the defacement, then the organisation will have to deal with the legal aspects of this
8. Loss of the website’s ability to be used as a communications tool

What I have learned from my research

So, as business continuity practitioners, what can we learn from this?

Defacement is a threat to all organisations, and we should think through how our organisations would deal with it as an incident, especially if the hackers gain control of our website and make it difficult to regain control.

1. Just because you are not a high-profile organisation, it does not mean you are not vulnerable. Many of the Israeli website defacements targeted organisations not associated with the conflict but happened to have .il (Israel) URLs
2. Think through how you would communicate with stakeholders if your main website was unavailable
3. Once you have regained control, can you quickly rebuild or replace the pre-hacked website, or do you have a contingency website that you can use in the meantime?
4. Do you have third-party or in-house expertise to investigate how the breach occurred and to ensure that the hackers cannot regain access to the website?
5. How good is your website security? Those who deface ‘for fun’ look for easy-to-hack websites with known vulnerabilities
6. Do you have software on your website that can detect changes in content and alert you?
7. When there is the start of an international conflict, there is usually an upsurge in defacer activity, so you should be extra vigilant if there is a possibility that your website could be defaced as part of a wider campaign
8. Website defacement is a reputational issue and makes for a good exercise scenario!

Defacement is just another in the long line of threats and risks you should be thinking about and perhaps writing playbooks on how you would respond.

[1]   https://www.imperva.com/learn/application-security/website-defacement-attack/

[2] https://www.justice.gov/opa/press-release/file/1316891/download