Qatar, Hacking and the Never Ending Trouble with Proof
Between May 23rd and 24th 2017, several sensitive pieces of news were published on the official website of the Qatar News Agency (QNA). The pieces were thereupon syndicated by newspapers and websites around the globe but particularly by those in the region, leading to considerable outrage both within Qatar and in its neighboring countries. Shortly after, the published pieces were removed and blamed on hackers.
While the contents of the bulletins themselves concern geopolitical issues beyond the scope of these briefings, the implication of hackers makes the incident a great case study of the anonymous nature of the internet and how it can be used/abused.
Who was behind the news?
At this point in time, no clear proof exists that hackers planted the news. Likewise, no proof exists that hackers were falsely blamed.
This follows a pattern we have talked about repeatedly before: The parties behind a cyber attack are extremely hard to identify and even proof of an attack can be tricky.
Broadly speaking, the incident allows three interpretations.
In this scenario, the bulletins were authentic but had an unexpectedly large impact. As pressure mounted, the QNA either by their own volition or through governmental pressure sought for a way to nullify their impact. The anonymous nature of the internet and recent frequency of hacking attacks against governmental targets made the explanation of hackers having planted the news a very convincing one thus allowing everyone to save face.
In opposition to the first interpretation stands the official explanation given by QNA. Attackers with the goal of discrediting and harming the Qatari government fabricated false reports - the so often quoted “Fake News” - and planted it on the QNA’s website thus giving their creation immense credibility. While the reports were later retracted and denied, syndication meant that the harm had already been done.
The final scenario exists between the former two: The information is accurate but was never meant to be released. In this interpretation someone with access to explosive information either planted it on the QNA’s website by hacking (in case of an external party) or through internal channels (in case of an insider attack). The placement on official channels lent credibility to the leak.
A definitive answer to who published the information, why it was published and wether it was accurate is very unlikely to be established. What matters from an information security perspective however is that similar patterns will continue to emerge for the foreseeable future.
As damaging information becomes a more and more valued commodity acquired in cyber attacks, hackers will increasingly use leaks to harm targets. At the same time, fake information can be expected to be mixed in with legitimate leaks. The resulting ambiguous nature of all leaks means that categorical denial of both accurate and fake leaks is likely to be the standard response by affected organizations.