US Army Websites Defaced in 404 Hijacking Campaign
Multiple U.S. Army websites were defaced through a 404 hijacking campaign, displaying pro-Kurdish messages and anti-Trump sentiments.

Several U.S. Army websites experienced defacement via a 404 hijacking campaign, with error pages displaying messages critical of President Donald Trump and promoting pro-Kurdish sentiments. The incident affected subdomains such as oil.army.mil and ai2c.army.mil, which are associated with the Army's Open Innovation Lab and Artificial Intelligence Integration Center, respectively. The defaced pages included slogans like "FREE KURDISTAN" and insults directed at Trump and U.S. Ambassador to Türkiye Tom Barrack.
The attack exploited a 404 hijacking technique, which targets a website's error-handling system rather than its core pages. This method often involves compromising plugins, content management systems, or server configurations to inject unauthorized content into pages that are not found. Cybersecurity researcher Ronald Lovelace discovered the defacements and notified Army officials. Lovelace noted that the affected sites run on WordPress and Microsoft cloud infrastructure, and the compromise across multiple subdomains suggests a potentially deeper issue than a single path corruption.
While the defacement appeared on multiple subdomains, indicating a potential for broad reach, it did not affect all Army websites. Many other Army sites continued to display normal 404 error pages. The exact method by which the attackers gained the ability to modify these error pages remains unclear, as does whether the breach originated internally or through a third-party compromise.
Following CyberScoop's inquiry, the Army took the affected websites offline. An Army spokesperson confirmed that the pages were hosted on a legacy third-party platform not connected to the Army's enterprise network and have since been secured. Incident response teams are actively investigating the matter to understand the full scope and origin of the intrusion.
"Technical teams took immediate action to mitigate the issue, and the affected pages have been secured," Army Maj. Sean Manion stated. "The Army takes all cyber incidents seriously and is actively investigating this matter to enforce our strict cyber defense and network security standards."
While the defacement messages reference Kurdistan, a region spanning parts of Turkey, Iraq, Iran, and Syria, the specific group or individual behind the attack remains unidentified. Defacing government websites has historically been a tactic employed by Kurdish hacktivists. The messages may stem from political opposition to U.S. foreign policy concerning Kurdish territories.
This incident is not the first time U.S. Army websites have been targeted by foreign hackers. In 2015, the Syrian Electronic Army defaced major Army and Department of Defense websites, leading to temporary shutdowns. The ongoing investigation will determine if the current incident is related to previous attacks or if it represents a new threat vector.
The Army's investigation is ongoing, and it is too early to determine whether the third-party platform will be patched or discontinued. The focus remains on securing the affected systems and understanding the vulnerabilities exploited.