Cyber Incident Victim: Thomson Reuters
Date:
Jun 2014
Location:
Syria
Summary
The Syrian Electronic Army compromised Reuters by targeting the ad network Taboola, causing visitors attempting to read a specific article to be redirected to a message from the attackers. This breach leveraged Taboola's extensive partnerships with major global news sites, exposing a systemic vulnerability stemming from reliance on third-party services. The incident highlighted how security weaknesses in external providers could enable attackers to impact multiple high-profile platforms through a single point of failure.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 3 motives | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
On June 22, 2014, the Syrian Electronic Army (SEA) executed a cyberattack against Reuters, redirecting users attempting to access the article titled "Attack from Syria kills Israeli teen on Golan, Israel says" to a page displaying the hacker group's message. The disruption occurred intermittently throughout the day, though Reuters restored the affected article by Sunday evening. Security researcher Brian Jacobs identified the compromise vector as Taboola, a New York-based advertising network partnered with Reuters. Jacobs noted that SEA likely exploited Taboola’s infrastructure to manipulate content delivery on Reuters’ site, though the exact method of initial access remained unconfirmed. Historical patterns of SEA operations, including prior phishing campaigns against entities like The Onion, led Jacobs to hypothesize that a similar credential-harvesting tactic may have been employed against Taboola. The attack underscored the interconnected risks inherent in third-party advertising ecosystems, as Taboola’s extensive client base—encompassing 350 million unique users and partnerships with major outlets like Yahoo!, BBC, Fox News, and The New York Times—amplified the potential impact of the breach.
The incident highlighted systemic vulnerabilities arising from reliance on external analytics and advertising providers, with Reuters employing over 30 such services at the time. Jacobs emphasized that the security posture of news organizations leveraging these networks was contingent on the weakest third-party provider, rendering them susceptible to supply chain compromises. While Reuters implemented corrective measures to restore article access, the broader consequences included operational disruptions and reputational exposure tied to the prolonged redirect. Jacobs publicly advised users to deploy browser extensions like Disconnect to block advertising and analytics domains, though this guidance fell outside Reuters’ direct response. No additional containment actions by Reuters or Taboola were detailed in the available reporting. The compromise demonstrated SEA’s continued focus on media targets and its ability to exploit digital advertising infrastructures to achieve widespread visibility for its messages.