A Turkish hacktivist defaced a subdomain of the president-elect’s campaign website.
A subdomain used by President-elect Joe Biden’s official campaign website was defaced last week by a self-proclaimed Turkish hacktivist and still remains out of commission.
The subdomain, vote.joebiden.com, was part of the official campaign website JoeBiden.com used by the Biden campaign leading up to the 2020 U.S. presidential election. On Nov. 18, the subdomain reportedly began to display a message in Turkish. In the message, the hacker claims to be “RootAyy1ld1z,” a “Turkish And Muslim Defacer” who is not a group or organization, but who “fights alone.”
Threatpost was able to access the Internet Archives version of the domain to verify the hack. The subdomain was used by the Biden campaign help voters find polling centers, find a campaign event and offer state-specific voter guides. Post-election, the subdomain forwarded traffic to the self-serve voter registration information website “I WILL VOTE“. This separate website, maintained by the Democratic National Committee, offers state-specific vote-by-mail and voter registration verification services.“Like many organizations who quickly throw together a website or subdomain, likely missing some important cybersecurity best practices, this time a subdomain ‘vote.joebiden.com’ of presidential elect Joe Biden has become the latest victim of website defacing,” Joseph Carson, chief security scientist and advisory CISO at Thycotic, told Threatpost. “This of course is more of an embarrassment than a national security issue, however, it does raise important questions on ensuring that cybersecurity is a top priority for the incoming administration.”
The message, in Turkish, threatened Turkey’s opponents as well as U.S.-backed political parties in Turkey. It also featured a photo of Sultran Abdul Hamid II, who was the 34th sultan of the Ottoman empire from 1876 to 1909.
“We are the ones who stopped the tanks with their bare hands on the night of July 15. We are those who killed death that night,” a translated (via Google Translate) English version of the message concluded, likely referring to the 2016 Turkish coup d’etat attempt.
As of Nov. 23, the domain remains inaccessible. Of note, Biden’s main campaign website, joebiden.com, does not appear to be affected by the hack.
The website hack also comes amid a Wall Street Journal report that the federal government is offering minimal assistance to Biden’s transition team when it comes to securing email and other communications.
Threatpost has reached out to the President-elect Joe Biden campaign for further comment.
“As additional data and searches indicate that the CMS was hacked to deface the subdomain’s web content, a lot more would have been possible than just a ‘political statement’ from a hacktivist,” Dirk Schrader, Global Vice President at New Net Technologies (NNT), told Threatpost. “A different content playing to the bias of parts of the population might have caused bigger issues. As it took the cyber security team more than 24 hours to realize the defacement and to take action, this incident demonstrates again how important it is to keep an eye on your full exposure and have constant monitoring and change control in place.”
Government website defacements have popped up, particularly with the U.S. president elections being this year in November.
Hackers took over President Trump’s 2020 election campaign website in October, replacing parts of the site with a cryptocurrency scam before returning it to its original content several minutes later. And in January, a U.S. government website was vandalized by hackers who posted images of a bloodied President Donald Trump being punched in the face and pro-Iran messages. In September the Department of Justice (DoJ) indicted two hackers – including one teenager – for allegedly vandalizing more than 50 websites hosted in the U.S. with pro-Iran messages.
“Incidents, such as this, are a reminder how important it is to have top cybersecurity experts in the new administration to ensure mistakes like these do not happen,” Carson told Threatpost.