Who is the Syrian Electronic Army?

Understanding the threat posed by the Syrian Electronic Army

Tags: FireEye (www.fireeye.com)HackingHacktivism
  • E-Mail
Who is the Syrian Electronic Army? The SEA is using socially-engineered spear phishing attacks against certain targets, says Alqartah.
By  Ayed Alqartah Published  August 1, 2013

The Syrian Electronic Army (SEA) is a prolific group of hackers who are loyal to Syrian President Bashar al-Assad. Their campaign began in May 2011, and typically employs DDoS attacks, phishing, pro-Assad web defacements and spamming campaigns against governments, online services, and media that are perceived hostile to the Syrian government.

The SEA has successfully attacked Al-Jazeera, the hacker group Anonymous, Associated Press (AP), BBC, Daily Telegraph, Financial Times, Guardian, Human Rights Watch, and National Public Radio. Its most famous exploit to date was an announcement from the AP’s hacked Twitter account that the White House was bombed and President Obama injured – within seconds, stock markets briefly dipped more than $100 billion dollars.

The precise nature of the SEA’s relationship to the Syrian government is unknown. Although the domain name for its website was registered by the Syrian Computer Society (previously headed by President Assad), the depth and breadth of SEA’s activities hint that it also has the support of many civilian volunteers. Furthermore, the SEA’s ability to operate within the same online spaces that are typically dominated by young, tech-savvy activists has been key to its success. In any case, this ambiguity helps to ensure that the Syrian government does not face legal or political repercussions for SEA’s attacks.


SEA: Phishing for Trojan Horses

The SEA’s two primary goals are to maintain pressure on the Syrian political opposition and to improve the Syrian government’s image. Toward these ends, the SEA often sends socially-engineered, spear-phishing emails to lure opposition activists into opening fraudulent, weaponized, and malicious documents. In this way, for example, targeted Facebook users have been tricked into giving up their login information.

The SEA is believed to have used the following Remote Access Tools (RAT) and Trojan Horse applications in the past: Blackshades, DarkComet, Fynloski, Rbot, Xtreme RAT, and Zapchast.

A successful installation of such malware on a victim’s computer could provide SEA with a wide range of capabilities, including:

  • • keystroke logging
  • screenshots
  • webcam images
  • eavesdropping by microphone
  • stolen documents
  • stolen passwords

And of course, all of this sensitive information is likely sent to a computer address lying within Syrian-controlled Internet Protocol (IP) space.

Important SEA compromises in July, 2013

The SEA has recently compromised three important online communications websites, each of which could have serious real-world consequences for Syria’s political opposition.

July 16: SEA hacked the Swedish site Truecaller, home to the world's largest online phone directory, storing over a billion phone numbers in over 100 countries. Furthermore, SEA claimed this attack also gave it the access codes to more than a million Facebook, Twitter, LinkedIn, and Gmail accounts. The initial attack vector was an older, vulnerable version of WordPress.

July 21: SEA hacked the video and text messaging service Tango, stealing more than 1.5 TB of data, including user information, true names, phone numbers, emails, and personal contacts for millions of accounts. Again, the initial attack vector was a vulnerable version of the Wordpress CMS (v 3.2.1), which gave SEA unauthorized access to the database server.

July 24: SEA hacked Viber, a free online calling and messaging application used by more than 200 million users in 193 countries. Viber acknowledged the attack, explaining that the initial compromise vector was an email phishing scam which enabled the SEA to access two customer support sites. Thus far, the company has denied that private user information was lost.


Why are these SEA attacks so important?

1. The SEA, just like other “patriotic hackers” around the world, is proving that a small group of expert hackers can be a force on the international stage.

2. The SEA pays no attention to traditional international borders, attacking both Syrians and non-Syrians, inside Syria and in many other countries.

3. Successful attacks on international communications sites such as TrueCaller, Tango, and Viber can put humans in real danger through espionage, intimidation, and/or arrest.

Ayed Alqartah is a systems engineer for FireEye Middle East & Africa.

2040 days ago
Sajjad Assad Khan

The article was informative and nicely written. But it prove that online DB and any sort of websites which stores personal data are not safe. So we should not give full info on any online sites. No body is safe when it comes to privacy as FBI and Intelligence agencies of US and some other countries are storing all form of online data. We all are 100% unsafe when it comes to online safety.

Add a Comment

Your display name This field is mandatory

Your e-mail address This field is mandatory (Your e-mail address won't be published)

Security code