Screenshot of 404 error pages for oil.army.mil, defaced with pro-Kurdistan comments and insults to President Donald Trump and White House advisor Tom Barrack. (Source: U.S. Army website)
Even a modest error page can transform into a digital billboard for political messaging. Recently, malicious actors compromised several military websites. Hackers executed an attack that successfully defaced US Army subdomains. Attackers replaced standard 404 error pages with pro-Kurdish slogans. Additionally, they posted insults directed at US President Donald Trump. Furthermore, they targeted Tom Barrack, the US Ambassador to Turkey.
Impacted Military Platforms
According to news reports, users noticed these illicit messages on Monday morning. Visitors saw them on two specific army sites: oil.army.mil and ai2c.army.mil. The first domain belongs to the US Army Open Innovation Lab. Officials established this lab in 2020 to evaluate software and cyber solutions. Meanwhile, the second domain connects to the Artificial Intelligence Integration Center. Since 2019, this center has helped the military implement AI technologies. It also trains personnel to utilize these cutting-edge tools.
Discovery of the Breach
Ronald Lovelace, an independent cybersecurity specialist, initially discovered the intrusion. Consequently, he reported his alarming findings to US Army representatives. He noted that the affected websites relied on WordPress and Microsoft cloud infrastructure. Currently, experts remain uncertain about the exact duration of the defacement. Furthermore, they do not know if the hackers compromised other digital resources.
Understanding 404 Hijacking
Security professionals refer to this specific attack vector as 404 page hijacking. Intruders do not necessarily alter the primary sections of a website. Instead, they manipulate the “not found” page. Consequently, a visitor encounters foreign text, malicious redirects, or unauthorized content. Sometimes, administrators find this digital footprint quite difficult to detect. This difficulty arises because the main website continues to function normally.
Assessing the Threat Level
Lovelace believes this incident carries significant weight. Identical tampering signs appeared across multiple subdomains simultaneously. Therefore, he estimates the underlying vulnerability might run deeper than a single corrupted page. Nevertheless, available data suggests the attack did not affect all military websites. Indeed, many army resources continued to display their standard 404 error pages without issue.
Swift Response and Mitigation
After receiving alerts from cybersecurity experts, military personnel swiftly disabled the affected pages. Major Sean Minton, a department spokesperson, provided further clarification. He stated that the compromised sites resided on an outdated, third-party platform. Fortunately, this platform lacked any connection to the main corporate army network. According to Minton, technical teams took immediate action. They shut down the impacted pages and continue to investigate the incident thoroughly.
The Motive Behind the Attack
At this time, the identity of the perpetrators remains unknown. However, the defaced pages explicitly mentioned Kurdistan. This region spans across territories in Turkey, Iraq, Iran, and Syria. More than 30 million Kurds reside within these borders. In the past, pro-Kurdish hacktivists have repeatedly defaced government websites. They utilize these cyberattacks to draw global attention to their political demands.
A History of Cyber Incidents
This event does not represent the first cyber incident for the US Army. Back in 2015, the department faced a similar crisis. Officials had to temporarily disable major websites, including the primary army portal. The Syrian Electronic Army orchestrated that particular attack. During that breach, attackers similarly altered government web pages. Ultimately, they transformed a technical vulnerability into a highly publicized political stunt.
Support Our Threat Intelligence
If you find our technology report and cybersecurity news helpful, consider supporting our work.