Cyber Incident Victim: The Wall Street Journal
Date:
Jul 2014
Location:
Russia
Summary
A hacker known as w0rm exploited a SQL injection vulnerability in The Wall Street Journal's website, compromising servers hosting news graphics and potentially over 20 other databases. The attacker offered stolen user information and administrative credentials for sale, enabling unauthorized content modification and system access. Dow Jones isolated the affected servers, asserting no customer data was impacted, but cybersecurity investigators confirmed the vulnerability granted access to any database on the compromised infrastructure. The perpetrator, previously linked to attacks on BBC and Vice Media, publicly disclosed a database administrator's credentials and marketed the stolen data for one bitcoin via an exploit marketplace.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
On July 21, 2014, at approximately 5:30 PM Eastern Time, a hacker using the alias “w0rm” publicly disclosed a breach of servers belonging to Dow Jones & Co., publisher of The Wall Street Journal (WSJ). The attacker posted a screenshot on Twitter displaying the email address, username, and hashed password of a database administrator account associated with wsj.com. W0rm, identified by cybersecurity firm IntelCrawl’s CEO Andrew Komarov as a Russian hacker previously active under the aliases “Rev0lver” and “Hash,” offered to sell a full dump of authorized user data from a compromised database for one bitcoin via the exploit marketplace w0rm.in. The hacker claimed the stolen credentials would grant buyers the ability to modify articles, insert malicious content, manipulate user accounts, and alter website content. Dow Jones responded by taking two affected servers offline on July 22 to isolate them and prevent further system access. These servers hosted news graphics for the WSJ website. A company spokesperson stated investigators found no evidence of impact to customer data, though the breach’s disclosure occurred less than 24 hours after the initial compromise.
IntelCrawl confirmed the intrusion exploited a SQL injection vulnerability within the wsj.com infrastructure, enabling unauthorized access to any database on the compromised server. While the primary breached database stored map graphics for WSJ’s website, Komarov noted the presence of over 20 additional databases on the same servers, raising concerns about potential lateral movement or secondary compromises. W0rm’s historical activities included attempts to sell access to BBC servers in December 2013 and attacks on Vice Media’s web servers earlier in 2014, establishing a pattern of targeting high-profile media entities. Dow Jones maintained its systems were secured after server isolation, emphasizing no identified customer data exposure. The incident highlighted risks associated with third-party marketplace transactions involving stolen credentials, as w0rm’s offer included administrative privileges capable of undermining site integrity and disseminating disinformation. Forensic analysis focused on determining whether other databases were accessed during the intrusion window prior to containment.