Former Fox News hosts Greta van Susteren and Eric Bolling were evidently hacked on Tuesday by Turks supportive of President Recep Tayyip Erdogan.
The hackers took control of their Twitter accounts and used them to send direct messages to President Donald Trump.
The DMs were possible because van Susteren and Bolling are among the rather small number of people Trump follows on Twitter. The president has over 46 million followers but follows only 45 other users.
The hackers also posted photos of private direct messages from the compromised Twitter accounts, some of them pertaining to Turkey. Van Susteren and Bolling have about 2 million followers between them, so these tweets were seen by a sizable audience.
A claim of responsibility for the actions was made in a pinned message at the top of both compromised Twitter pages. Originally written in Turkish, the message translates to: “You are hacked by the Turkish cyber army Ayyildiz Tim! We got your DM correspondence! We will show you the power of the Turk!”
Another message in Turkish sent from both accounts reads: “We love the Turks and Muslims in the world. We condemn those who persecute them, especially in the United States, and we share their suffering. We love Turkish soldiers, we love Erdoğan, we love Turkey.”
One of the direct messages the hackers sent to Trump through van Susteren’s account included a pro-Turkish propaganda video and asked the president to share it. Another message from both accounts repeated a catchphrase frequently used by President Erdogan, “The world is bigger than five,” by which he means the five permanent members of the United Nations Security Council.
Ayyildiz Tim is a Turkish nationalist hacking group that has been active since the early 2000s. It frequently claims to be affiliated with the Turkish military, although most of its members are thought to live outside Turkey. The group is very active, mentioned constantly in security forums as the source of attacks against websites in numerous countries.
Among other exploits, they hacked the U.N. Ethiopia website in 2013 to post a message reading:
Whoever has bad ideas about our religion and our country including Internet websites we will fight with them, All Turkish origins from all over the world we are together, we don’t afraid anyone we will give answers, whoever let cruelty, and countries who make cruelty others wait our visit, Turks has no patience anymore.
The U.N. page was also defaced with the black jihadi flag of al-Qaeda. Several other websites, including the Kenyan Ministry of Transportation and a Kurdish LGBT group, were hit in the same attack. The Kenyan website was defaced with Turkish nationalist images and a message that said, “All the Muslims are together. The CYBER-WAR will be appeared all the Countries which not respecting Islam. Ayyildiz promises that they will visit your areas too.”
In the summer of 2014, Ayyildiz Tim claimed to have penetrated Israel’s Iron Dome missile defense system, although the claim was dismissed as a publicity stunt by cybersecurity experts. Also in 2014, they took over the webpage for a Kirk Cameron movie called Saving Christmas, replacing the main page with an image of an armored Turkish warrior and propaganda messages, and hijacking visitors to their Twitter page with a musical clip and the sound of a gunshot.
They hacked the hacker collective Anonymous in December 2015 in retaliation for Anonymous allegedly aligning itself with Russia and claiming the Turkish government supported the Islamic State.
In January 2016, the group perpetrated a Distributed Denial of Service (DDoS) attack against a large number of Russian websites, hijacking visitors with a note that said, “Turkey was with Russia when the country was facing hard times. However, you decided to support Armenians against Turkey and then bomb Turkmen areas and kill innocent civilians in Syria.”
Ayyildiz Tim’s DDoS attack was seen as retaliation for a similar assault on Turkish websites believed to have been launched by Russia, or by Anonymous acting on behalf of Russia.
Business Insider reports attacks on several media accounts owned by international media organizations and reporters in the days before the van Susteren and Bolling hack, including the Twitter account of Der Spiegel Editor-in-Chief Klaus Brunkbaumer.
Brinkbaumer said his account was compromised and used to spread pro-Turkish messages after he clicked on a link sent by “someone who appeared to be a trusted source in Washington, DC,” which sounds like a classic spear-phishing attack.