Cyber Incident Victim: Linux Foundation
Date:
Dec 2018
Location:
United States of America
Summary
The Linux.org website was compromised through a DNS hijack, redirecting visitors to a defaced page containing racial slurs, offensive imagery, and protests against the Linux kernel's new developer code of conduct. Attackers gained access via a Network Solutions account tied to the domain owner, exploiting publicly available WHOIS information and the absence of multi-factor authentication. They displayed control over a Twitter account and demonstrated unauthorized DNS modifications but did not breach the site's servers or expose user data. Following the incident, administrators implemented multi-factor authentication across all relevant accounts to mitigate future risks.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 2 motives | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
On December 7, 2018, the Linux.org website was defaced through a DNS hijack attack. Attackers gained unauthorized access to the Network Solutions account of Michelle McLagan, the domain owner, and altered its DNS records to redirect visitors to a defacement page. The attackers modified this page multiple times, displaying offensive content including racial slurs and an explicit image of an individual. The defaced page also contained links and a reference to a Twitter account (@kitlol5) allegedly controlled by the attacker. A screenshot posted from this Twitter account demonstrated access to McLagan's domain management portal, confirming control over the DNS configuration. One Linux.org administrator disclosed on Reddit that the compromise originated through McLagan's partner's email account. The attack did not involve penetration of Linux.org's hosting servers, and no user data was compromised.
The incident's investigation revealed that attackers likely exploited publicly available WHOIS information combined with the absence of multi-factor authentication (MFA) on the domain management account. A Linux.org administrator characterized the breach as an exploitation of the "weakest link" in their security posture. Following containment, administrators restored legitimate DNS records and implemented MFA across all relevant accounts to prevent similar attacks. The defacement caused temporary disruption to the website's availability and reputational damage due to the offensive content displayed. No evidence suggested broader system compromise beyond the DNS hijack.