“We are aware of unauthorized defacements on the error pages of oil.army.mil and ai2c.army.mil , which are hosted on a legacy, non-authoritative platform,” Army spokesperson Maj. Sean Minton said, summing up the official acknowledgment of an incident that left two U.S. Army subdomains showing politically charged 404 error pages.
What visitors saw on oil.army.mil and ai2c.army.mil
Independent researcher Ronald Lovelace discovered and reported the defacements to U.S. Army officials and CyberScoop. Screenshots show 404 error pages on oil.army.mil and ai2c.army.mil that contained messages denigrating President Donald Trump and United States Ambassador to Türkiye Tom Barrack, calls to “FREE KURDISTAN,” and a sign-off reading “Kurdish sr was here.” The images of the altered 404 pages were visible to users before the pages were taken offline.
404 hijacking: the technique Ronald Lovelace described
Lovelace described the incident as a 404 hijacking, a method that exploits a website’s error-handling system so attackers control what visitors see when a requested page is not found. According to the reporting, this can be achieved by compromising a plugin, the site’s content management system, or server configuration. The affected sites run on WordPress and Microsoft cloud infrastructure, Lovelace said.
He noted the cross-subdomain presence of the defacements raises the severity. “It raises the severity a decent amount because it shows it’s a bit deeper than just one single path” that’s being corrupted, Lovelace said, while also observing that the compromise does not appear to affect all Army websites — many remained with normal 404 pages.
Legacy third-party platform and the Army’s immediate response
After CyberScoop reached out, the Army took the affected websites offline. Maj. Sean Minton described the pages as being “hosted on a legacy, non-authoritative platform” that is not connected to the Army’s enterprise network. “Technical teams took immediate action to mitigate the issue, and the affected pages have been secured,” he said, adding that Army cyber investigators are conducting incident response and that “the Army takes all cyber incidents seriously.”
Minton also said it is “too early to say whether the third-party platform will be patched or discontinued.” The Army has not publicly attributed the defacements to any actor, and investigators have not announced whether the intrusion extended beyond the visible 404-page changes.
Historical context cited in the reporting
The CyberScoop piece noted precedent for foreign actors targeting Army sites: in 2015, Army officials temporarily shut down major websites after defacements attributed to the Syrian Electronic Army. The current incident echoes that earlier compromise in its public, political messaging, though critical details remain unverified — including how long the subdomains were compromised and whether the breach originated internally or through a third party.
What this means for Army cyber teams, third-party vendors, and Kurdish proponents
- Army cyber investigators and technical teams: the Army has already taken immediate mitigation actions and secured the affected pages, and investigators are continuing incident response. Their near-term tasks include determining the vector of the 404 hijack, whether additional subdomains were affected, and whether the intrusion reached systems beyond the legacy platform.
- Third-party platform operators and procurement officials: the pages were described as hosted on a “legacy, non-authoritative platform” not connected to the enterprise network. Procurement and vendor teams will need to decide whether to patch or discontinue that platform — a decision the Army spokesperson said “it’s too early to say” — and to reassess how legacy third-party services are governed and monitored.
- Kurdish proponents and potential attackers: the defacement contained explicit references to Kurdistan, and the reporting notes that website defacement has been a popular tactic among Kurdish hacktivists. The content also referenced political figures who drew ire earlier in the year for positions related to Syrian military campaigns, providing a visible public outlet for protest messaging.
The incident leaves several concrete, unanswered facts: investigators have not publicly confirmed the initial access vector, the length of the compromise, or whether any systems beyond the error pages were altered. For now, the Army’s statement that the pages were on a legacy, non-authoritative platform and that technical teams “took immediate action to mitigate the issue” frames the event as contained but under active investigation. Whether the platform will be patched or taken out of service remains a decision to be made as the inquiry continues.




