MoI: Hacking originated from UAE

Sharing details of hacking of Qatar News Agency (QNA) website and associated social media accounts, the investigation team of the Ministry of Interior (MoI) yesterday revealed that hacking ‘originated from the UAE’.

“We have also traced the IP addresses of people who immediately after hacking and publishing of fake news story visited QNA website and they were from two sites in the UAE,” said the investigation team of Ministry of Interior while uncovering the details of cyber crime of QNA hacking.

Lt Col Ali Mohammed Al Muhannadi, Director of Technology Affairs at NCC and head of investigation team and Capt. Othman Salem Al Hammoud, Assistant Director of Information Security Department told media that some brotherly countries had also helped Qatar in uncovering the hacking incident.

“The hacker made control on the network of QNA in a bid to get the passwords of its social media accounts to make tweeting and posting news easy. Immediately after hacking and posting of fake news, about 45 times QNA website was accessed from two sites in the UAE,” the investigation team said.

Responding to a question, they said that the hackers were equipped with high level skills. A particular person was involved in the hacking of the QNA website and social media accounts with help of another person (the second person) who was using his mobile, an iPhone which “we have traced and we have also traced telecom network used for connection”.

To another question about Washington Post story in which it was indicated that the “UAE was behind the hacking”, they said: “We represent technical team. We are supposed to move our findings to authorities concerned who can announce further details.”

“Tracing who visited the website from which IP address and Internet connection is easy. We would like to say clearly the visits to QNA were made from two sites in the UAE to check whether fake news was published or not.”

On the hacking day, the visits to the pages of QNA increased remarkably. “During 15 minutes from 11:45 to 12 midnight on May 23 the visits to QNA pages were recorded from two locations of the UAE. The perpetrator from a siege country was refreshing the website to see the fake news.”

The important thing is the fact the beneficiary of hacking was waiting for the posting by another person. “These perpetrators were available at the UAE. The strange thing is that after hacking and fabrication of news a huge heinous media campaign launched immediately. It seems that it was planned months before of this hacking as the person wrote fabricated statements and make such videos and waiting for launch this campaign.”

They said there were a lot of evidences to start prosecution and there were many more evidences that could not be made public for certain reasons that could affect the prosecution. “We increased cyber security alerts level of QNA network and even other institutes of the country as a precaution.”

The investigation team said that the technical team had found that on April 19, the hacker infiltrated to QNA network using VPN software and scanned the website completely.

The team said that IP address of one of the siege countries was used in the whole pre-hacking and hacking process. With the help of a film, the team revealed that on April 22, the hacker exploited vulnerability in the QNA website, installed the malicious programmes and intruded. “The vulnerability was shared with another person via Skype, who accessed it at 5:47am. Later, the hacker deployed more sophisticated malicious programmes to get full control of the network.”

“The preliminary report confirming the hacking incident had already been shared with media.”  

Capt. Othman Salem Al Hammoud said that actually three crimes were committed through this hacking exercise: first is the hacking itself, second publishing of fake news attributing a statement to the Emir H H Sheikh Tamim bin Hamad Al Thani and third was taking benefits from the whole exercise.

“Immediately after hacking and publishing of fake news on QNA website, the people from the IP addresses of a siege country who had not visited QNA website in the past visited it to see whether the material had been published or not or with the purpose to propagate the fake news.”

Hackers had exploited vulnerability to collect password. Sharing further chronological order of QNA hacking, they said that on April 28, the main system of QNA was targeted and addresses, passwords and e-mails of all the employees were collected. On April 29, the hacker accessed the vulnerability in QNA website via an IP from one of the siege countries. On May 20, the hacker carried out a final check of malicious programmes, confirmed effectiveness in preparation for an attack.

On May 23, just minutes before the start of the attack, the QNA website witnessed significant increase in number of visitors. These visits were through IP addresses from one of the siege countries. At 11:45pm, the actual attack began and 12:13am, false quotes attributed to the Emir were posted on the QNA website. Two minutes later, the first access of the article was recorded via IP addresses of one of the siege countries.

Within the next few minutes and with the increase of browsing in an unprecedented manner, the website was out of service. At 3am, the attack was contained, the control of the website was restored, at 7pm, all QNA social media accounts were recovered. As well, the technical team could reach to a European telephone number that was used for the hacking process.