US Army websites defaced with pro-Kurdish sentiments, insults to Trump

At least two U.S. Army websites were defaced with messages expressing pro-Kurdish sentiments and insults directed at President Donald Trump and White House advisor Tom Barrack. The defacements were discovered on error pages of the subdomains oil.army.mil and ai2c.army.mil.
The messages included calls to "FREE KURDISTAN" and attributed the defacement to "Kurdish sr." The affected websites are associated with Army initiatives focused on technological advancement. Oil.army.mil is part of the Army's Open Innovation Lab, established in 2020 for testing software and cyber capabilities. Ai2c.army.mil belongs to the Artificial Intelligence Integration Center, created in 2019 to integrate AI technologies and train personnel.
The defacements were identified by independent cybersecurity researcher Ronald Lovelace, who subsequently alerted Army officials and CyberScoop. Lovelace noted that the affected sites utilize WordPress and Microsoft cloud infrastructure.
The method used, known as 404 hijacking, exploits a website's error-handling system. This technique allows attackers to display unauthorized content, such as defacement messages or malicious redirects, on pages that are not found. This can make the compromise less obvious, as the rest of the website may appear unaffected.
It remains unclear how long the subdomains were compromised or if other Army websites were affected. Lovelace suggested that the compromise across multiple subdomains indicates a potentially deeper issue than a single corrupted path. However, many other Army websites continued to display normal error pages. The origin of the breach, whether internal, external, or through a third party, and the extent of the intrusion beyond website defacement are also unknown.
Army officials took the websites offline after being contacted by CyberScoop for comment. An Army spokesperson stated that the affected pages were hosted on a legacy third-party platform not connected to the Army's enterprise network. The spokesperson confirmed that technical teams took immediate action to secure the pages and that an incident response investigation is ongoing.
The spokesperson, Maj. Sean Minton, emphasized that the Army takes all cyber incidents seriously and is actively investigating to uphold its cyber defense and network security standards. The spokesperson also indicated it is too early to determine if the third-party platform will be patched or discontinued.
While the identity of the attackers is not definitively known, the messages reference Kurdistan, a region encompassing parts of Turkey, Iraq, Iran, and Syria, home to a significant Kurdish population. The Kurdish separatist movement has a history of activism, including hacktivism targeting government websites. The defacements may be linked to recent political events where Trump and Barrack were perceived by some Kurdish proponents as supporting a Syrian government military campaign in Kurdish-majority areas.
This incident is not the first time U.S. Army websites have been targeted. In 2015, several major Army websites, including the main homepage and the U.S. Strategic Command site, were temporarily shut down after being defaced by hackers associated with the Syrian Electronic Army.





