Initial reports on the incident specified that the attackers broke into the website and social media accounts of the state-owned news agency, QNA on 24th May 2017.
They were able to get in by exploiting a security vulnerability. Once they got in, they created a fake news post on QNA’s website stating that the Emir Sheikh Tamim bin Hamad Al Thani falsely criticized the tensions between Iran and the United States of America (USA) and pointed out how the President of USA at the time, Donald Trump, would not last long in office.
Soon after the post was released, Qatar released an official statement that QNA was hacked into and that they were requesting the help of the Federal Bureau of Investigation (FBI) to find out what happened. Unfortunately, this fake post created tensions amongst the Arab Gulf countries which then led to the illegal blockade against Qatar a week later (5th June 2017) even though Qatar had claimed they were victims of a cyber-attack. This blockade affected millions of Qatari residents as they now had to find alternative sources for important commodities such as food imports.
While many details regarding the investigation on how the attack was carried out and who caused it was undisclosed, there was a claim (in Source 5) that iPhones from the blockading nations were used in the hacking.
The personal information (i.e. phone numbers, bank details, account PINs, passwords, etc.) of many QNB customers in a 1.5 GB database file was leaked on a file-sharing website called “global-files.net” on 26th April 2016. Members of the Al-Thani family, Al-Jazeera staff and government officials were among the roughly 465,000 customers that had their information compromised.
The attackers, a Turkish hacking group called Bozkurt Hackers going by the social media tag @bozkurthackers, claimed responsibility for the data leak and had made use of an open-source SQL injection tool to obtain the information from the database (Source 10). Investigators were able to find this out from viewing the data leak, which turned out to be a ‘hacker’s cache’ that showed what data was leaked as well as how it was leaked (Source 11).