Turkish hackers claim credit for Library of Congress attack

The attack on several congressional websites comes in the wake of a failed coup in Turkey -- an uprising some Turkish leaders have blamed in part on the U.S. government.

DDOS attacks can be expensive to deal with, requiring network operators to obtain specialized routing services from their internet service providers. They can also potentially front for other attacks, or test systems to see what kind of defenses are in place.
threat

A hacking group called the Turk Hack Team is taking credit for a shutdown of the Library of Congress website and hosted systems including Congress.gov, the Copyright Office, Congressional Research Service and other sites.

The group claimed credit on an online message board where users go for updates on the availability of websites.

The attack was launched July 17, in the midst of Turkey's response to the military coup targeting the elected government of President Recep Tayyip Erdogan. Prominent Turkish officials have accused the U.S. of fomenting the coup; Secretary of State John Kerry issued a stern denial of such accusations.

The Turk Hack Team is not considered at the level of a nation-state sponsored group or an advanced persistent threat, former U.S. CERT director Ann Barron-DiCamillo told FCW. They're more of a "middle-tier, hacktivist" type group, she said. They've gone after targets for perceived slights to Turkey's honor in the past, including an April 2015 hack on the Vatican website made in response to comments from Pope Francis characterizing the 1915 massacres of Turkish Armenians as a genocide.

The group has not gone after U.S. targets in the past, but Baron-DiCamillo, currently partner and CTO at Strategic Cyber Ventures, said U.S. officials would likely be on the lookout for more hacktivist activity emanating from Turkey. "This is the first kind of visible activity generated post-coup, but it doesn't mean it's going to be the last," she said.

Library of Congress CIO Bernard Barton said on July 20 that the attack had been successfully thwarted.

"This was a massive and sophisticated DNS assault, employing multiple forms of attack, adapting and changing on the fly," he wrote in a blog post. "We’ve turned over key evidence to the appropriate authorities who will investigate and hopefully bring the instigators of this assault to justice."

Congress is not covered by the Federal Information Security Management Act and is not required to report cyber incidents to the Department of Homeland Security.

Spokesperson Gayle Osterberg told FCW that the Library of Congress reports all cyber-related criminal activity to the FBI.

DHS is aware of the incident but is not involved in the investigation or mitigation of the attacks, according to an agency source.

Mostly, Barron-DiCamillo said, they are "distracting, causing pain to both users and customers, but not impacting back-end systems and more critical data."

It is possible the hackers imagined that the Congress.gov and LOC.gov domains represented a more critical target than they actually are. Congress.gov is mostly a public-facing information warehouse that is not integral to the legislative function of the House and Senate. Most of the complaints about the site being down came from librarians and researchers looking to execute catalog searches.

The outage also affected the Congressional Research Service, the in-house think tank for Congress. CRS reports, available only to members and staff, are not published elsewhere except on an ad hoc basis legislators and public interest groups that obtain the odd document. A bill introduced by Rep. Mike Quigley (D-Ill.) just days before the hack would open up CRS reports to the public, and have the effect of creating a backup site for the material on the Government Publishing Office website.

This story was updated July 20 to include comment from the Library of Congress.