The QNA website was soon restored with a message saying that the site had suffered from unauthorised access by 'state-backed elements' who had published a fake story.
First Published 26th May 2017
Doha changes its story, literally.
4 min read | Reflare Research Team
Between May 23rd and 24th 2017, several sensitive pieces of news were published on the official website of the Qatar News Agency (QNA). The pieces were then syndicated by newspapers and websites around the globe but particularly by those in the region, leading to considerable outrage both within Qatar and in its neighbouring countries. Shortly after, the published pieces were removed and blamed on hackers.
While the contents of the bulletins themselves concern geopolitical issues beyond the scope of these briefings, the implication of hackers makes the incident a great case study of the anonymous nature of the internet and how it can be used/abused.
Who was behind the news?
At this point in time, no clear proof exists that hackers planted the news. Likewise, no proof exists that hackers were falsely blamed.
This follows a pattern we have talked about repeatedly before: The parties behind a cyber attack are extremely hard to identify and even proof of an attack can be tricky.
Broadly speaking, the incident allows three interpretations.
The backtrack
In this scenario, the bulletins were authentic but had an unexpectedly large impact. As pressure mounted, the QNA either by their own volition or through governmental pressure sought a way to nullify their impact. The anonymous nature of the internet and the recent frequency of hacking attacks against governmental targets made the explanation of hackers having planted the news a very convincing one thus allowing everyone to save face.
The plant
In opposition to the first interpretation stands the official explanation given by QNA. Attackers with the goal of discrediting and harming the Qatari government fabricated false reports - the so often quoted “Fake News” - and planted them on the QNA’s website, thus giving their creation immense credibility. While the reports were later retracted and denied, syndication meant that the harm had already been done.
The whistleblower
The final scenario exists between the former two: The information is accurate but was never meant to be released. In this interpretation, someone with access to explosive information either planted it on the QNA’s website by hacking (in the case of an external party) or through internal channels (in the case of an insider attack). The placement on official channels lent credibility to the leak.
Summary
A definitive answer to who published the information, why it was published and whether it was accurate is very unlikely to be established. What matters from an information security perspective however is that similar patterns will continue to emerge for the foreseeable future.
As damaging information becomes a more and more valued commodity acquired in cyber-attacks, hackers will increasingly use leaks to harm targets. At the same time, fake information can be expected to be mixed in with legitimate leaks. The resulting ambiguous nature of all leaks means that categorical denial of both accurate and fake leaks is likely to be the standard response by affected organizations.