Website Defacement – What You Need to Know

Charlie Maclean-Bristol discusses website defacement, how to respond to it, and some of the reasons why this type of cyber attack occurs.

What is it?

I looked at a number of definitions, but I thought this was the clearest:

“Web defacement is an attack in which malicious parties penetrate a website and replace content on the site with their own messages. The messages can convey a political or religious message, profanity, or other inappropriate content that would embarrass website owners, or a notice that the website has been hacked by a specific hacker group.” [www.imperva.com]

This very much describes what occurs when a website has its content changed for various reasons. One of the other differences between this and many other cyber attacks is that on the whole, there is rarely a financial motive involved.

Websites are not the only media that can get hacked and display different content. Social media accounts can be taken over, either having their backgrounds changed to display a different message or posting the hacker’s content. TV and radio channels can also be hacked to display the hacker’s contents. A good example of this is the hack by pro-Ukrainian hackers, which hacked into Crimean TV channels and replaced their content with a speech by President Volodymyr Zelensky, vowing to liberate the peninsula. They also renamed all the channels “Putin is a di**head”.

Who is doing this and why are they doing it?

There are lots of different motivations for carrying out defacement and different groups carrying this out:

 1. “For Fun”

Some of the defacers just do it for the same reasons as graffiti artists. They want people to see their tag; they have bragging rights for the sites; they boost their self-esteem purely for the thrill of doing it. They may also be showing off their skills or trying to position themselves for hire as a website security person. An example of this occurred in 2018 when the NHS (National Health Service) website hosting data from patient surveys was defaced by unknown attackers. There appears, upon inspection, to be no political or hacktivist motivation for this defacement.

 2. Patriotism

Many website defacements are driven by a patriotic cause. Many incidents occur very shortly after interstate conflict. This can be caused by governments such as the hacking and destruction of Ukrainian government websites by alleged Russian state hackers, to supporters of Hamas and Palestinian causes immediately after the attack on Israel in October 2023. The attacks started within hours of the 7th October attack, and many of them were not against Israeli government sites but rather targeted businesses alongside several Israeli government sites, such as a housing association, a large public college, and a subdomain of the Israeli Defence Forces. Ongoing defacement of Indian and Pakistani business websites has taken place, carried out by both Indian and Pakistani hacktivists in response to the ongoing Kashmir conflict.
Internal conflicts

There was a defacement of 40 Indonesian websites in September 1998 that displayed “Free East Timor” and contained links to other websites that described human rights abuses by the governing power at the time, the Indonesian government. The defacement of a number of US government websites in 2020 by two Iranian hackers posted various images of the late Iranian military general Qasem Soleimani, along with messages against the US government and also offensive images of the then-current US President, Donald Trump. These messages were then posted on The Best Of Minneapolis and the US Library Program website.

 4. Activism or support of a cause

The hacktivist group Anonymous defaced 500 Chinese websites in reaction to censorship by the Chinese government. On the defaced pages, they wrote: “Chinese People, your government controls the internet in your country and strives to filter what it considers a threat for it. Be careful. Use a VPN for your own security. Or Tor.”

Alongside pro-Hamas and pro-Israeli hacktivists attacking Israeli and Hamas websites, hackers from other nations have joined in attacks. Russian and Iranian hacktivists also targeted Israeli government sites, while Indian hacktivists attacked Hamas websites in support of Israel. Former President Trump’s personal website was defaced by hackers who disagreed with his politics.

One of the earliest defacements was against the US Department of Justice and the newly passed Communications Decency Act (CDA), where hacktivists posted text saying “Department of Injustice” and showed pornographic images. In my research, I couldn’t find a reference to climate change protesters using defacement as a weapon against what they believe are polluting companies.

 5. To shame or embarrass the website owner

This could be to shame the site’s owner if they don’t have effective security in place. It could also be an act of revenge if, for example, an organization’s former website administrator is sacked and they carry out a revenge attack, or if an admin of a website has not been paid. In 2020, the Spanish Presidency website, eu2010.es, was hacked and defaced by hackers (see Figure 2). Although the entire site remained functional, the image of Spanish Prime Minister José Luis Rodriguez Zapatero was replaced with that of comedian Rowan Atkinson, known for his role as Mr. Bean. The motive behind such website defacement was simply to mock and embarrass Mr. Zapatero.

What is the impact?

The impact of website defacement is rarely long-lasting, except where the website delivers e-commerce or e-government. If these websites are destroyed and replaced by a defaced site, then the impact can be long-lasting to rebuild the site and restore its functionality. Data could be lost in this type of attack. The main impacts of website defacement include:

1. Shame and embarrassment to the website owner.
2. Loss of confidence and trust in the organization, their brand, and their ability to secure their IT assets.
3. Putting in the mind of their stakeholders that this could be part of a wider cyber attack leading to a lack of confidence in the organization.
4. If the site is an e-commerce site, the cost of downtime and restoring the system.
5. Loss of SEO ranking; defacement can negatively impact your website’s SEO ranking as Google may flag it as a security risk and lower its ranking in search results.
6. Scare and unnerve opponents in the support of a cause.
7. If illegal content such as child pornography or hate speech is included as part of the defacement, then the organization will have to deal with the legal aspects.
8. Loss of the website’s ability to be used as a communications tool.

What I have learned from my research

Defacement is a threat to all organizations. We should think through how our organizations would deal with it as an incident, especially if the hackers gain control of our website and make it difficult to regain control.

1. Just because you are not a high-profile organization, it does not mean you are not vulnerable. Many of the Israeli website defacements targeted organizations not associated with the conflict but happened to have .il (Israel) URLs
2. Think through how you would communicate with stakeholders if your main website was unavailable.
3. Once you have regained control, can you quickly rebuild or replace the pre-hacked website, or do you have a contingency website that you can use in the meantime?
4. Do you have third-party or in-house expertise to investigate how the breach occurred and to ensure that the hackers cannot regain access to the website?
5. How good is your website security? Those who deface “for fun” look for easy-to-hack websites with known vulnerabilities
6. Do you have software on your website that can detect changes in content and alert you?
7. When an international conflict starts, there is usually an upsurge in defacer activity, so you should be extra vigilant if there is a possibility that your website could be defaced as part of a wider campaign.
8. Website defacement is a reputational issue and makes for a good exercise scenario!

Defacement is just another in the long line of threats and risks you should be thinking about and perhaps writing playbooks on how you would respond.

++++++++++++++++++++++++++++++++++++++++++++++++

 

This article was originally published by BC Training Ltd.

Charlie Maclean-Bristol is the author of the groundbreaking book, Business Continuity Exercises: Quick Exercises to Validate Your Plan

“Charlie drives home the importance of continuing to identify lessons from real-life incidents and crises, but more importantly, how to learn the lessons and bring them into our plans. Running an exercise, no matter how simple, is always an opportunity to learn.” – Deborah Higgins, Head of Cabinet Office, Emergency Planning College, United Kingdom

Click here for your FREE business continuity exercises!