Technique T0141.002: Acquire Compromised Website

Summary: Threat Actors may take over existing websites to publish or amplify inauthentic narratives. This includes the defacement of websites, and cases where websites’ personas are maintained to add credence to threat actors’ narratives.

See also Mitre ATT&CK’s T1584 Compromise Infrastructure for more technical information on how threat actors may achieve this objective.
Belongs to tactic stage: TA15

Incident	Descriptions given for this incident
I00066 The online war between Qatar and Saudi Arabia	"In the early hours of 24 May 2017, a news story appeared on the website of Qatar's official news agency, QNA, reporting that the country's emir, Sheikh Tamim bin Hamad al-Thani, had made an astonishing speech." "[…] "Qatar claimed that the QNA had been hacked. And they said the hack was designed to deliberately spread fake news about the country's leader and its foreign policies. The Qataris specifically blamed UAE, an allegation later repeated by a Washington Post report which cited US intelligence sources. The UAE categorically denied those reports. "But the story of the emir's speech unleashed a media free-for-all. Within minutes, Saudi and UAE-owned TV networks - Al Arabiya and Sky News Arabia - picked up on the comments attributed to al-Thani. Both networks accused Qatar of funding extremist groups and of destabilising the region." This incident demonstrates how threat actors used T0141.002: Acquire Compromised Website to allow for an inauthentic narrative to be given a level of credibility which caused significant political fallout.

Incident

Descriptions given for this incident

I00066 The online war between Qatar and Saudi Arabia

"In the early hours of 24 May 2017, a news story appeared on the website of Qatar's official news agency, QNA, reporting that the country's emir, Sheikh Tamim bin Hamad al-Thani, had made an astonishing speech."

"[…]

"Qatar claimed that the QNA had been hacked. And they said the hack was designed to deliberately spread fake news about the country's leader and its foreign policies. The Qataris specifically blamed UAE, an allegation later repeated by a Washington Post report which cited US intelligence sources. The UAE categorically denied those reports.

"But the story of the emir's speech unleashed a media free-for-all. Within minutes, Saudi and UAE-owned TV networks - Al Arabiya and Sky News Arabia - picked up on the comments attributed to al-Thani. Both networks accused Qatar of funding extremist groups and of destabilising the region."

This incident demonstrates how threat actors used T0141.002: Acquire Compromised Website to allow for an inauthentic narrative to be given a level of credibility which caused significant political fallout.

Counters	Response types

DO NOT EDIT ABOVE THIS LINE - PLEASE ADD NOTES BELOW

1.9 KiB Raw Blame History Unescape Escape

Technique T0141.002: Acquire Compromised Website

1.9 KiB

Raw Blame History