Who is the Syrian Electronic Army?

FireEye_Logo_HighResThe Syrian Electronic Army (SEA) is a prolific group of hackers who are loyal to Syrian President Bashar al-Assad. Their campaign began in May 2011, and typically employs DDoS attacks, phishing, pro-Assad web defacements and spamming campaigns against governments, online services, and media that are perceived hostile to the Syrian government.

The SEA has successfully attacked Al-Jazeera, the hacker group Anonymous, Associated Press (AP), BBC, Daily Telegraph, Financial Times, Guardian, Human Rights Watch, and National Public Radio. Its most famous exploit to date was an announcement from the AP’shacked Twitter account that the White House was bombed and President Obama injured – within seconds, stock markets briefly dipped more than $100 billion dollars.

The precise nature of the SEA’s relationship to the Syrian government is unknown. Although the domain name for its website was registered by the Syrian Computer Society (previously headed by President Assad), the depth and breadth of SEA’s activities hint that it also has the support of many civilian volunteers. Furthermore, the SEA’s ability to operate within the same online spaces that are typically dominated by young, tech-savvy activists has been key to its success. In any case, this ambiguity helps to ensure that the Syrian government does not face legal or political repercussions for SEA’s attacks.

SEA:Phishing for Trojan Horses

The SEA’s two primary goals are to maintain pressure on the Syrian political opposition and to improve the Syrian government’s image. Toward these ends, the SEA often sends socially-engineered, spear-phishing emails to lure opposition activists into opening fraudulent, weaponized, and malicious documents. In this way, for example, targeted Facebook users have been tricked into giving up their login information.

The SEA is believed to have used the following Remote Access Tools (RAT) and Trojan Horse applications in the past: Blackshades, DarkComet, Fynloski, Rbot, Xtreme RAT, and Zapchast.

A successful installation of such malware on a victim’s computer could provide SEA witha wide range of capabilities, including:

  • Keystroke logging
  • Screenshots
  • Webcam images
  • Eaves dropping by microphone
  • Stolen Documents
  • Stolen Passwords

And of course, all of this sensitive information is likely sent to a computer address lying within Syrian-controlled Internet Protocol (IP) space.

Important SEA compromises in July 2013

The SEA has recently compromised three important online communications websites, each of which could have serious real-world consequences for Syria’s political opposition.

  • July 16: SEA hacked the Swedish site Truecaller, home to the world’s largest online phone directory, storing over a billion phone numbers in over 100 countries. Furthermore, SEA claimed this attack also gave it the access codes to more than a million Facebook, Twitter, LinkedIn, and Gmail accounts. The initial attack vector was an older, vulnerable version of WordPress.
  • July 21: SEA hacked the video and text messaging serviceTango, stealing more than 1.5 TB of data, including user information, true names, phone numbers, emails, and personal contacts for millions of accounts. Again, the initial attack vector was a vulnerable version of the WordPress CMS (v 3.2.1), which gave SEA unauthorized access to the database server.
  • July 24: SEA hacked Viber, a freeonline calling and messaging application used by more than 200 million users in 193 countries. Viber acknowledged the attack, explaining that the initial compromise vector was an email phishing scam whichenabled the SEA to access two customer support sites. Thus far, the company has denied that private user information was lost.

 

Impact

Why are these SEA attacks so important?

  • The SEA, just like other “patriotic hackers” around the world, is proving that a small group of expert hackers can be a force on the international stage.
  • The SEA pays no attention to traditional international borders, attacking both Syrians and non-Syrians, inside Syria and in many other countries.
  • Successful attacks on international communications sites such as TrueCaller, Tango and Viber can put humans in real danger through espionage, intimidation, and/or arrest.