How The Jester fooled Russians—and Fox News—with one simple trick. [Updated]

A Tweet with cross-site scripting link convinced some he’d hacked Russian Foreign Ministry.

Sean Gallagher – Oct 25, 2016 6:45 pm | 79

JIn case you were busy this weekend and missed it, there was a bit of craziness involving the Russian Foreign Ministry’s website, Twitter, various news outlets, and the “patriotic hacker” known as The Jester. Nothing was harmed except the credibility of several news organizations, some eardrums, and the tender feelings of some Russian officials.

If you are at all familiar with The Jester, you will know that this isn’t the first time he’s used Internet sleight-of-hand for propaganda and other purposes. In the past, he used web address shortener services and cross-site scripting to create the illusion that he had altered articles on the websites of the Malta Independent Online and the Tripoli Post. He’s also used various other tricks to mess with the minds of would-be Anonymous members. And yes, he’s launched distributed denial of service (DDoS) attacks against jihadist sites and the Westboro Baptist Church.

Last week, in the wake of the mega-DDoS attack on Dyn, after indicating he believed Russia was somehow behind the attacks, The Jester posted this message on Twitter:

#FLASH MSG ‘From Russia with Love’ – I’m Jester & I approve this message via the Russian Foreign Affairs Website >> https://t.co/K0pwcChX8N

— JΞSTΞR ✪ ΔCTUAL³³º¹ (@th3j35t3r) October 22, 2016

It was the old URL shortener trick again, taking advantage of a cross-site scripting (XSS) vulnerability in the website of the Russian Foreign Ministry. The result? This document was displayed within the Foreign Ministry site—creating the impression that The Jester had actually hacked the site:

The page was also accompanied, apparently, by audio of a civil defense siren. The page no longer loads, as the Russian Foreign Ministry has blocked the vulnerability, which was in its search engine for the site’s archives. An intermediate website feeds the script to archive.mid.ru—sort of like a web-based toilet-papering of the Ministry’s site.

Things took an interesting twist when the news media picked up the story. CNN, Fox News, and US News and World Report all reported that The Jester had hacked the Foreign Ministry’s website.

KNOCK IT OFF! American hacker ‘The Jester’ takes over Russia’s foreign affairs ministry website pic.twitter.com/rY5CIGJZ0k

— FOX & Friends (@foxandfriends) October 24, 2016

Russian media also ran with that narrative. At first RT.com reported that the Ministry’s site had been breached, before updating the story to report that the site was never breached. All of this, of course, was recorded by The Jester with no small amount of glee on his blog.

On Sunday, Russian Foreign Ministry spokesperson Maria Zakharova said in a Facebook post that the affected site was “a former site which has not been used for a long time.” According to the TASS News service, Zakharova said that security specialists were looking into the not-a-breach. Zakharova said:

If they find out it was a cyberattack from America, it means that either a cyber-machine of destruction Biden and McFaul have spoken about is already at work or that the evil provocative election campaign in the United States has drove people is a state when they are ready to wreak havoc.

Update, October 26, 7am ET/12pm UK: In a blog update, The Jester claimed that the whole exercise had been bait to draw a network attack from the Russians so he could gather data on their hacking tools, techniques and procedures. He reiterated his belief that the Russian government was involved in the DDoS attack on Dyn.