Hackers Deface WikiLeaks Homepage (But That’s About It)

Screenshot: OurMine

If you tried visiting WikiLeaks late Wednesday evening, you might’ve gotten the impression that the website was hacked. For now at least, that doesn’t appear to be the case.

For some users, wikileaks.org appeared to be defaced. The phrase “OURMINE” was just suddenly there, splashed across a blackground in red and white letters. Above it read, “Hacked by OurMine,” while below the self-described hackers left a message mocking both Julian Assange and Anonymous.

But it doesn’t appear that WikiLeaks itself was actually hacked at all — neither the website nor Assange’s servers containing an endless trove of classified US government documents seem to be compromised. In fact, even while the homepage appeared to be defaced, the site itself remained accessible to those who have weirdly memorized the IP address or otherwise simply knew where to look it up. In a tweet this morning, Wikileaks denied that their servers had been compromised.

The illusion was accomplished through what’s called DNS hijacking, an attack on the domain name server used to translates a user friendly URL like “wikileaks.org” into its corresponding IP address. If you’re new here, this is how you access the content hosted on the website’s owner server — e.g., Assange’s nifty collection of CIA exploits and DNC emails.

In this case, the DNS was reprogrammed so that whenever someone typed “wikileaks.org” into their browser, it directed them not to Assange’s server, but one controlled by OurMine, whoever the hell they are.

Numerous high-profile “hacks” (if we’re using that word for their hijackings) have been attributed to the group over the past year. They got Mark Zuckerberg‘s Twitter and Pinterest accounts last year; TechCrunch and BuzzFeed shortly after; and HBO earlier this month. (Then again, who at this point hasn’t hacked HBO?)

Some internet sleuths, relying solely on context clues, concluded OurMine may be tied to a collective of Indonesian hackers. The “favicon,” or tab icon, on the fake WikiLeaks page also appears on a separate website shown below, for instance, and that website was purportedly hacked by someone calling themselves “Civilian.”

Screencap: dsysna.comze.com/

Screencap: dsysna.comze.com/

The page also uses similar language as OurMine, such as “Your security is low.” It also just plainly states: “Indonesian Hackers.”

However, the best and the worst thing about the internet is that people can claim to be anyone from anywhere at anytime, and this goes doubly so for hackers. If one thing is certain, it’s that attribution in the event of a cyber crime is nebulous at best, and at worst a complete distraction.

The only other mystery is how OurMine managed to hijack WikiLeaks’ DNS in the first place. It could’ve been a malicious intrusion, but it’s also entirely possible they just know a guy with administrative access. (Statistically, the answer is nearly always that someone got phished.)

Since this is WikiLeaks, you’re likely to hear someone claim that it was “probably the government.” But given the nominal impact and low level of sophistication involved, you should just tell Alex Jones to stop chasing you down the street with his shirt off.

For now, the only risk to visiting WikiLeaks seems to be ending up on an NSA watchlist or convincing yourself that words like “pizza” are the key to a vast left-wing government conspiracy after several hours spent poring over tedious Clinton campaign emails.

If you’re wondering about OurMine’s beef with Anonymous — and there’s absolutely no reason you should care — here’s a cached version of a now-deleted tweet in which they claimed to have doxed them. I guess that didn’t work out.

Gizmodo reached out to OurMine via an email address they publicized and we’ll update if we get a response.