Menu
Browse

Cyber Incident Victim: United States Army

Date:

Jul 2026

Location:

United States of America

Summary

U.S. Army subdomains oil.army.mil and ai2c.army.mil were defaced in a 404 hijacking campaign that displayed pro‑Kurdish messages, insults to former President Donald Trump and former ambassador Tom Barrack, and a signature reading “Kurdish sr was here.” The defacements were discovered by researcher Ronald Lovelace, who noted the sites run on WordPress and Microsoft cloud infrastructure hosted on a legacy third‑party platform isolated from the organization’s enterprise network. After being notified, the organization took the pages offline, secured them, and launched an ongoing investigation; officials said the breach did not affect core websites and that the extent of the intrusion remains unknown.

CIA Posture Motives Tactics, Techniques & Procedures
Available to members 1 motive 1 technique
Threat Actors Type Location
0 actors Available to members Available to members

Description

On July 6 2026, independent cybersecurity researcher Ronald Lovelace discovered that the 404 error pages for two U.S. Army subdomains—oil.army.mil and ai2c.army.mil—had been altered to display defacement messages. The messages denounced President Donald Trump and U.S. Ambassador to Türkiye Tom Barrack, urged “FREE KURDISTAN,” and included the signature “Kurdish sr was here.” Lovelace notified Army officials and the cybersecurity news outlet CyberScoop, prompting immediate attention to the incident. The compromised sites belong to the Army’s Open Innovation Lab and the Artificial Intelligence Integration Center, respectively, and were running on WordPress with Microsoft cloud infrastructure at the time of the breach. The defacement was achieved through a 404 hijacking technique that manipulates a website’s error‑handling system to control what appears when a page is not found, rather than altering the core site content directly.

Cyber Incident Image

Army officials confirmed that the affected pages were hosted on a legacy third‑party platform that is not connected to the Army’s enterprise network. After being contacted by CyberScoop, the Army took the sites offline, removed the legacy platform, and stated that technical teams had taken immediate action to mitigate the issue and secure the affected pages. An Army spokesperson, Maj. Sean Minton, said that incident response by Army cyber investigators remains ongoing and that it is too early to determine whether the third‑party platform will be patched or discontinued. The spokesperson emphasized that the Army takes all cyber incidents seriously and is actively investigating to enforce its cyber defense and network security standards. No evidence was presented indicating that the intrusion extended beyond the error‑page defacement or that other Army subdomains were compromised.

The article notes that the motive behind the defacement appears linked to pro‑Kurdish sentiment, referencing the Kurdish separatist movement’s long‑standing goal of establishing an independent nation and its history of using website defacement as a hacktivist tactic. It also mentions that President Trump and Ambassador Barrack had earlier drawn criticism from Kurdish proponents for perceived support of a Syrian government military campaign in Kurdish‑majority areas. The incident is not the first time Army websites have been targeted by foreign actors; in 2015, the Syrian Electronic Army defaced the Army’s main home page and the Department of Defense’s U.S. Strategic Command, leading to temporary shutdowns. As of the article’s publication, the exact identity of the perpetrators, the method of initial access, and the full scope of any potential deeper intrusion remained undetermined.

Sources
Sources available to members
1 source