Full Report
Multiple U.S. Army internet subdomains were defaced in a 404 hijacking campaign, CyberScoop has confirmed. As of Monday morning, error pages on two U.S. Army websites – oil.army.mil and ai2c.army.mil – displayed defacement messages visible to users. The messages denigrated President Donald Trump and United States Ambassador to Türkiye Tom Barrack, called to “FREE KURDISTAN,” And…
Analysis Summary
# Incident Report: Defacement of U.S. Army Subdomains via 404 Hijacking
## Executive Summary
Multiple U.S. Army internet subdomains were targeted in a "404 hijacking" campaign that resulted in the defacement of public-facing error pages. The attackers leveraged these pages to display political messages denigrating U.S. officials and supporting Kurdish independence. While the compromise was visible to the public, it appears to have been limited to the web presentation layer of specific subdomains rather than a deep network breach.
## Incident Details
- **Discovery Date:** July 6, 2026 (Monday morning)
- **Incident Date:** Ongoing as of July 6, 2026
- **Affected Organization:** U.S. Army (specifically the Open Innovation Lab and the Artificial Intelligence Integration Center)
- **Sector:** Government / Defense
- **Geography:** United States
## Timeline of Events
### Initial Access
- **Date/Time:** Prior to the morning of July 6, 2026.
- **Vector:** 404 Hijacking / Error Page Manipulation.
- **Details:** Attackers gained the ability to modify the "404 Not Found" error templates or redirect traffic for specific subdomains to custom-hosted malicious content.
### Lateral Movement
- **Details:** Based on current reporting, there is no evidence of lateral movement into internal Army networks. The attack appears confined to the web configuration/content delivery layer.
### Data Exfiltration/Impact
- **Impact:** Defacement of public websites. No data exfiltration was reported.
- **Affected Assets:**
- oil[.]army[.]mil (Open Innovation Lab)
- ai2c[.]army[.]mil (Artificial Intelligence Integration Center)
### Detection & Response
- **How it was discovered:** Spotted by users and journalists as defacement messages became visible on public subdomains.
- **Response actions taken:** CyberScoop confirmed the defacement; presumably, Army IT staff began remediation (taking pages offline or restoring default configurations) shortly after discovery.
## Attack Methodology
- **Initial Access:** Hijacking of 404 error page configurations.
- **Persistence:** Modification of web server configuration files or Content Management System (CMS) templates.
- **Impact:** Use of Resource Exhaustion or Configuration Manipulation to display political propaganda ("Kurdish sr was here," "FREE KURDISTAN").
## Impact Assessment
- **Financial:** Minimal; restricted to incident response labor costs.
- **Data Breach:** None reported; public-facing information only.
- **Operational:** Low; primarily affected test beds and training domains rather than operational military systems.
- **Reputational:** Moderate; public defacement of military websites, especially those focused on "AI" and "Innovation," creates a perception of vulnerability.
## Indicators of Compromise
- **Network indicators:**
- hxxp://oil[.]army[.]mil (modified 404 behavior)
- hxxp://ai2c[.]army[.]mil (modified 404 behavior)
- **Behavioral indicators:** Custom error messages displaying political text: "FREE KURDISTAN" and "Kurdish sr was here."
## Response Actions
- **Containment:** Verification of the extent of defacement across the [.]army[.]mil infrastructure.
- **Eradication:** Removal of unauthorized scripts or text from the error page templates.
- **Recovery:** Restoration of original 404 error handlers and hardening of CMS/web server configurations.
## Lessons Learned
- **Key takeaways:** Even non-critical subdomains (test beds/labs) are high-value targets for "hacktivists" seeking a platform for political messages.
- **What could have been done better:** Monitoring for unauthorized changes to web server configuration files and automated integrity checking of public-facing templates could have alerted the Army before the messages were seen by the public.
## Recommendations
- **Asset Inventory:** Conduct a full audit of all subdomains to ensure dormant or "lab" sites adhere to the same security standards as primary domains.
- **Integrity Monitoring:** Implement File Integrity Monitoring (FIM) on web server directories to detect unauthorized changes to index or error pages.
- **Configuration Hardening:** Ensure that custom 404 pages are not stored in directories with write permissions accessible to the web service or unauthorized users.