{
	"id": "d0a69578-797e-4bf5-918e-9f7d79f0c1b7",
	"created_at": "2026-04-06T00:06:35.486041Z",
	"updated_at": "2026-04-10T03:33:17.930328Z",
	"deleted_at": null,
	"sha1_hash": "f0a97a313a959f5f9d9ca73cb1f71e10f73ae886",
	"title": "Despite appearances, WikiLeaks wasn’t hacked",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 90190,
	"plain_text": "Despite appearances, WikiLeaks wasn’t hacked\r\nBy Graham Cluley\r\nPublished: 2017-09-04 · Archived: 2026-04-02 10:39:43 UTC\r\nIf you visited the WikiLeaks website on Thursday morning, you can’t have failed to notice something a little out\r\nof the ordinary.\r\nInstead of the normal catalog of leaked confidential documents from Western governments and intelligence\r\nagencies, you’ll have seen a message from the notorious OurMine gang.\r\nPart of the message visible to visitors of the WikiLeaks website read as follows:\r\nHi, it’s OurMine (Security Group), don’t worry we are just testing your…. blablablab, Oh wait, this is\r\nnot a security test! Wikileaks, remember when you challenged us to hack you?\r\nhttps://www.grahamcluley.com/despite-appearances-wikileaks-wasnt-hacked/\r\nPage 1 of 4\n\nYes, it was OurMine up to their old tricks again, fresh from compromising the social media accounts of football\r\nteams FC Barcelona and Real Madrid.\r\nWhy would OurMine want to target WikiLeaks? Well, there isn’t much love lost between them, following the\r\nalleged personal details of members of the hacking group were published online was followed by a DDoS attack\r\nagainst the whistle-blowing site in 2016.\r\nThe good news for WikiLeaks this time was that things weren’t quite as bad as they might have first appeared.\r\nYou see, the WikiLeaks website hadn’t been hacked.\r\nInstead, OurMine had managed to alter WikiLeaks’s DNS records (held by a third-party registrar) to direct anyone\r\nwho tried to visit wikileaks.org to visit a different IP address which definitely wasn’t under the control of Julian\r\nAssange and his cronies.\r\nWas that too nerdy for you? Think of it this way. The internet has ‘telephone directories’, known as DNS (Domain\r\nName System) records, that translate website names (such as wikileaks.org) into a numeric address (such as\r\n95.211.113.131) that the internet understands.\r\nChange the numbers in the telephone directory, and anyone trying to get to wikileaks.org could end up somewhere\r\nelse entirely.\r\nhttps://www.grahamcluley.com/despite-appearances-wikileaks-wasnt-hacked/\r\nPage 2 of 4\n\nThis kind of domain hijacking isn’t a new threat – past victims have included such well-known services as\r\nWhatsApp and anti-virus firm AVG – but it’s a very effective way to embarrass an organisation publicly, and even\r\n(in the worst cases) attempt to scam visitors or redirect them to malware.\r\nAnd while your website’s domain records are under someone else’s control it’s not only possible that your website\r\nvisitors are being redirected, but also that emails being sent to your organisation are being sent somewhere else\r\nentirely too.\r\nWe don’t know how OurMine managed to access WikiLeaks’s DNS records, but past experience has shown that\r\ntheir typical modus operandi is simply to log in using their victim’s password.\r\nIf that happened in this case then it’s possible that someone at WikiLeaks was either phished, had an easy-to-guess\r\npassword, fell victim to some spyware, or made the mistake of reusing the same password in different places.\r\nAlternatively, the attackers might have used social engineering to trick WikiLeaks’s DNS provider into handing\r\nover the credentials, or simple requested that a password reset link be sent to a compromised email address.\r\nFor this reason, many DNS registrars offer additional levels of security beyond passwords – such as registry\r\nlocking and two-factor authentication (2FA) – to better protect the critical data they store about your website.\r\nFor instance, the DNS registrar I use for grahamcluley.com is DNSimple which has been supporting 2FA since\r\n2012.\r\nEven if a malicious hacker has managed to determine the password for your company’s 2FA-protected account at\r\nthe DNS registry, they shouldn’t be able to access it because they don’t know your one-time numeric PIN.\r\nhttps://www.grahamcluley.com/despite-appearances-wikileaks-wasnt-hacked/\r\nPage 3 of 4\n\nOf course, it’s always possible that an attacker might exploit a vulnerability in your DNS registrar’s systems to\r\nfiddle with your website’s records, perhaps without needing to know your password or bypass 2FA. But such\r\nattacks are by their very nature much rarer.\r\nIf you own a website, take advantage of the security features that your DNS registrar offers you – or find an\r\nalternative registrar who will do more to protect your account.\r\nAnd if you’re the administrator of the WikiLeaks website, just be grateful that OurMine was feeling more\r\nmischievous than malicious – as this attack could have been much more serious.\r\n#DNS hijacking\r\n#Ourmine\r\n#Wikileaks\r\nSource: https://www.grahamcluley.com/despite-appearances-wikileaks-wasnt-hacked/\r\nhttps://www.grahamcluley.com/despite-appearances-wikileaks-wasnt-hacked/\r\nPage 4 of 4",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MISPGALAXY",
		"Malpedia",
		"ETDA"
	],
	"references": [
		"https://www.grahamcluley.com/despite-appearances-wikileaks-wasnt-hacked/"
	],
	"report_names": [
		"despite-appearances-wikileaks-wasnt-hacked"
	],
	"threat_actors": [
		{
			"id": "e4ccfe5c-4d77-4503-bf1c-36076dbd78d0",
			"created_at": "2022-10-25T16:07:24.522697Z",
			"updated_at": "2026-04-10T02:00:05.02215Z",
			"deleted_at": null,
			"main_name": "OurMine",
			"aliases": [
				"ATK 128",
				"TAG-HA10"
			],
			"source_name": "ETDA:OurMine",
			"tools": [],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "74f1da67-5bc9-49ee-ba8e-b7e8b452a2c2",
			"created_at": "2023-01-06T13:46:39.021238Z",
			"updated_at": "2026-04-10T02:00:03.183989Z",
			"deleted_at": null,
			"main_name": "OurMine",
			"aliases": [],
			"source_name": "MISPGALAXY:OurMine",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775433995,
	"ts_updated_at": 1775791997,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/f0a97a313a959f5f9d9ca73cb1f71e10f73ae886.pdf",
		"text": "https://archive.orkl.eu/f0a97a313a959f5f9d9ca73cb1f71e10f73ae886.txt",
		"img": "https://archive.orkl.eu/f0a97a313a959f5f9d9ca73cb1f71e10f73ae886.jpg"
	}
}