Cyber Incident Victim: eir.dell.nl
Date:
May 2016
Location:
United States of America
Summary
A Kurdish hacker operating under the alias MuhmadEmad defaced multiple subdomains associated with the company's Entrepreneur-in-Residence program, including eir.dell.nl, by replacing content with anti-Turkey and anti-ISIS messages. The attacker, claiming affiliation with KurdLinux_Team, promoted Kurdish independence and criticized Turkish and ISIS actions against Kurdish populations, leaving contact information and a political manifesto on compromised sites. The defacements rendered the affected domains inaccessible, and the hacker later documented the breaches in a video uploaded to a public platform. The incident leveraged vulnerabilities in the Drupal CMS hosting the sites, with motivations rooted in geopolitical conflicts involving Kurdish communities in Syria, Iraq, and Turkey.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 2 motives | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 2 actors | Available to members | Available to members |
Description
On May 26, 2016, a hacker identifying as MuhmadEmad defaced five subdomains associated with Dell's Entrepreneur-in-Residence program, including eir.dell.nl, eir.dell.com, eir.dell.fr, eir.dell.ie, and eir.dell.co.uk. The attacker replaced the websites' content with a political message expressing support for Kurdish independence movements, specifically referencing Peshmerga forces, Kurdistan, and the KurdLinux_Team hacking group. The defaced pages included the statement: "HaCkeD By MuhmadEmad // Long Live to // {Peshmerga && kurd && Kurdistan} // KurdLinux_Team // c0ntact // [REDACTED]@gmail.com // Death to { ISIS + TURKEY }." Evidence of the compromises was preserved through Zone-H defacement mirroring services, with timestamps confirming the May 26 intrusion date. All affected subdomains remained offline at the time of Softpedia's reporting on the incident. The hacker subsequently documented the defacements in a YouTube video uploaded on June 11, 2016, demonstrating access to the compromised domains. Dell's websites were running on the Drupal content management system at the time of the attack, though the specific vulnerability exploited was not disclosed in available reports.
The incident disrupted Dell's Entrepreneur-in-Residence program web presence across multiple country-specific domains for at least sixteen days between the defacement date and the June 11 video publication. MuhmadEmad's actions were motivated by opposition to ISIS operations against Kurdish populations in Syria and Iraq, as well as grievances against the Turkish government's treatment of Kurdish communities. No data theft or additional system compromises beyond the website defacements were documented in available sources. The attacker's affiliation with KurdLinux_Team suggested coordination with a broader hacking collective, though no other members were identified. Dell did not publicly disclose remediation timelines or technical countermeasures implemented following the incident, though the prolonged downtime indicated extended recovery efforts. The defacements exclusively affected marketing-oriented subdomains dedicated to the Entrepreneur-in-Residence initiative, with no evidence of intrusion into Dell's core corporate infrastructure or customer systems.