At first glance, they may seem just like pro-Assad thugs and online
vandals, commandeering Web sites in the name of their favorite dictator.
But the hacker group known as the Syrian Electronic Army is getting
more ambitious and sophisticated, say experts who've looked closely at
the tactics underlying their attacks. The hackers may even be receiving
outside help from more skilled and dangerous groups - or even from
governments.
The SEA has been around since 2011, and so far has been known mostly for
relatively simple acts of vandalism like Web site defacements. (Most
recently, the group grabbed international attention after commandeering
the Web sites of the
New York Times, the
Washington Post, and yesterday the recruitment Web site for the
U.S. Marine Corps.)
But in the spring of this year, the group started to up its game. It
went after bigger targets, like when it hijacked the Twitter feed of the
the
Associated Press
and sent out a false report about a bombing at the White House. But it
also hacked into Web based communications services used by Syrian rebels
to avoid detection by the regime. The goal presumably wasn't to
vandalize those sites, but to gather information about the rebels who
were using them.
As the SEA's ambition has grown, so has its skill level. The attack on
the New York Times effectively gave the group control of the entire Web
site. It was accomplished not by a frontal assault, but by
changing
information in the Domain Name System databases via a company in
Australia. Anyone who tried to visit the Times Web site was redirected
to another site under the SEA's control, sporting its logo. Not exactly
high-end tradecraft, but not the work of simple vandals, either, which
is what the SEA has long been known for.
"The [SEA] apparently uses low-level tactics to compromise websites and
Twitter accounts, but they should not be underestimated," says Helmi
Noman, the senior researcher at Citizen Lab, a research group at the
University of Toronto that studies hacker networks. "They should not be
evaluated based on their level of sophistication, but rather on the
potential damage they can cause with unauthorized access to websites."
So how did the SEA get better in only a few months?
"I don't think it would be unreasonable to suspect someone more skilled
is helping them out," says Adam Myers, the Vice President of
Intelligence for CrowdStrike, a computer security company. In the
attacks on the Times, Twitter, and communications services such as
Tango, a popular video and text messaging applications, and Viber, which
lets users make free phone calls via the Internet,the SEA got access to
accounts as well as to other data in the companies' systems.
"That would indicate that they're been improving [their methods] over
the past couple months. I would not rule out some outside influence
giving them pointers," Myers says. "I think the likely candidates would
be Iran."
If Iranian forces have joined forces with the SEA, that could be a
problem for the United States. Iranian hackers have already demonstrated
their prowess, and they don't limit themselves to single Web site
attacks and propaganda campaigns. Last year, an operation that erased
data on tens of thousands of computers at the oil company Saudi Aramco,
as well as a massive denial of service attack on the Web sites of U.S.
banks, which were both attributed to Iran, sent waves of panic
throughout U.S. intelligence and law enforcement agencies.
What's known about the SEA's members has come in large part
from journalists, as well as other hackers. Last week, the hacker group Anonymous, probably the best known in the world,
released
information it stole from an SEA server. The Anonymous intrusion helped
to confirm some details about how the group works; for instance, it is
apparently not officially alligned with the Assad regime, but is
comprised of supporters who may receive some backing from the
government. But Anonymous also showed that the SEA is not impervious.
The hacker collective claimed to release informaiton about the SEA's
core members, including their personal e-mails and passwords for their
accounts. The SEA claims their systems were never breached, and that
reports identifying their members are erroneous.
Regardless of who is running the SEA, officials in the United States are
preparing for a retaliatory strike in cyberspace by forces allied with
the Syrian regime. In anticipation of those strikes, the
FBI
is more closely monitoring Syrians inside the United States and is
warning companies and government agencies to brace for possible cyber
strikes. U.S. intelligence agencies are also monitoring potential Syrian
cyber attacks and keeping lawmakers informed, according to a
congressional staffer.
Would the SEA be the likely group to carry out those attacks? Possibly. But they're not the only force available.
Syria has become a digital battlefield for a range of malicious actors,
including pro-regime spies and propagandists, says Rafal Rohozinski, the
CEO of SecDev Group, which monitors communications activity in Syria.
The SEA has not made any great technological leaps or advances in
tradecraft, he argues, but they have become more "deliberative and
strategic" in how they work. They're taking the time to select more
valuable targets that will give them the most bang for their buck.
And in that sense, the SEA's evolution reflects the broader hacker landscape. In June, Citizen Lab published a
report
on two operations conducted by what it called "pro-government
electronic actors," which were narrowly targeted to trick opposition
members into installing spyware on their computers. Unlike the SEA's
high-profile, public Web site defacements, these attacks were designed
to go unnoticed.
In one operation, the group sent electronic messages to rebels posing as
someone they knew or were likely to know. These messages encouraging
victims to download a communications technology called Freegate which
was designed to help dissidents circumvent state surveillance agencies.
The program was actually a piece of malware that lets the intruder
monitor what the infected user is typing on his computer, and also to
read and remove his files. In other words, pro-Assad hackers used the
fear of Assad's spies to start snooping on dissidents. Clever.
In the second operation, victims were sent messages encouraging them to
click on a link to a sermon by a pro-opposition cleric. When they did
so, it activated a program that effectively put the user's computer
under the hacker's control.
This kind of targeted, tailored hacking was useful for gathering
intelligence on the location of rebels and their allies, and then
killing or capturing them, Rohozinski says. The attacks have fallen off
in recent months, he added, as the intensity of the physical fight in
Syria has increased. Perhaps the regime doesn't need to spy on rebels
when it can kill them with poison
gas.
If there is a retaliatory cyber strike against the United States -- and
experts sound increasingly convinced there will be one -- it could come
from any number of sources, inside or outside the country. The SEA may
be the most well-known of the Syrian hacker armies, but maybe not for
long.
