Attacks/Breaches
9/6/2013
11:56 AM
50%
50%

FBI Warns Of Syrian Electronic Army Hacking Threat

Recent string of high-profile website and Twitter takedowns leads some security professionals to question whether hackers are getting help from Iran.

The Syrian Electronic Army: 9 Things We Know
(click image for larger view)
The Syrian Electronic Army: 9 Things We Know
The FBI Cyber Division has issued an alert to media outlets to beware compromise by the Syrian Electronic Army (SEA), and urged them to report any suspicious network traffic or behavior to the bureau.

The advisory recaps how the "pro-regime hacker group that emerged during Syrian anti-government protests in 2011 [...] has been compromising high-profile media outlets in an effort to spread pro-regime propaganda."

"The SEA's primary capabilities include spear-phishing, Web defacements, and hijacking social media accounts to spread propaganda," read the advisory. "Over the past several months, the SEA has been highly effective in compromising multiple high-profile media outlets."

The alert was issued following the SEA's large disruption of The New York Times website and smaller outages at Twitter and The Huffington Post U.K. That built on a string of previous defacements, including the Twitter accounts for Associated Press, BBC and Reuters, as well as Gmail accounts used by the White House media team.

[ Are recent hacks just the beginning of an escalation in cyber-warfare? Read NY Times Caught In Syrian Hacker Attack. ]

Many of those takedowns were accomplished using cheap-and-easy spear-phishing attacks, often designed to separate victims from their Google login information, which the hackers then use to seize control of Twitter feeds and send further phishing emails.

In the wake of the FBI's recent advisory, the SEA doesn't appear to be running scared. In fact, the group Friday tweeted a link to the advisory from one of its Twitter accounts.

Bravado aside, the SEA's increasingly big -- and sophisticated -- takedowns have lead some security experts to ask if the group isn't getting outside help. ''I don't think it would be unreasonable to suspect someone more skilled is helping them out,'' Adam Myers, vice president of intelligence for security firm CrowdStrike, told The Sydney Morning Herald in Australia. Notably, the group appears to have graduated from mere Twitter account takeovers to stealing details on users of video and voice app Tango, as well as the Times and Twitter takedowns, which involved exploiting a never-before-seen DNS registry.

"They've been improving [their methods] over the past couple months. I would not rule out some outside influence giving them pointers,'' said CrowdStrike's Myers. ''I think the likely candidate would be Iran.''

Other information security professionals have also noticed the SEA's increasing skills. "They exposed some world-class exposures in some world-class environments," Carl Herberger, VP of security solutions for Radware, said in a recent phone interview. "To take down The New York Times website? Pretty impressive. To expose some security problems in Twitter, even if the rest of the world didn't know they were there? Very impressive."

Has that lead to a more concerted effort by the FBI to identify and arrest the SEA's members? No doubt the bureau is working overtime to do so. But some recent press reports have sensationalized those efforts, given that the FBI has remained mum on any related investigations. For example, International Business Times reported Thursday that the FBI's advisory said that "anyone found to be aiding the SEA will be seen as terrorists actively aiding attacks against the U.S. websites." In fact, the FBI's advisory made no such claims.

Russia Today, which has an editorial slant that strongly favors the policies of President Vladimir Putin, claimed Friday that the FBI had added the SEA "to its list of wanted criminals." In reality, however, neither the SEA nor its members feature on the bureau's list of most-wanted cybercriminals.

If the bureau has identified the hackers involved in the SEA, however, the suspects should watch where they travel. Earlier this week, for example, Russia issued a travel advisory warning Russians accused of cybercrimes to beware international travel, reported Wired. The notice, issued by Russia's Foreign Ministry, warned citizens to "refrain from traveling abroad, especially to countries that have signed agreements with the U.S. on mutual extradition, if there is reasonable suspicion that U.S. law enforcement agencies" are investigating their activities. That notice was issued in the wake of the June arrest -- based on an Interpol Red Notice -- in the Dominican Republic of Russian Aleksander Panin, an alleged hacker charged in a $5 million online banking heist. Also this year, Russian national Maxim Chuhareva was arrested in Costa Rica as part of the Secret Service's Liberty Reserve crackdown.

Could some elements of the SEA now be operating from Russia? Interestingly, the SEA's servers were relocated to Russia after Network Solutions seized the group's domain names, apparently acting on a Department of Justice request. In retaliation for that embarrassing turn, the self-described teenage leader of the group, known as "Th3 Pr0" (pronounced "the pro") hacked AP's Twitter feed, issuing a bogus alert that President Obama had been injured in a bomb blast. The tweet temporarily erased $200 billion in value from the U.S. stock market.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
proberts551
50%
50%
proberts551,
User Rank: Apprentice
9/9/2013 | 1:35:11 PM
re: FBI Warns Of Syrian Electronic Army Hacking Threat
The SEA's - Train your enemies, give them Guns, Ammo, and educate them in high technology, in the United States, and other free countries, and this is what we have.
The playing field for war, electronic and otherwise is being leveled. What countries choose to do with knowledge cannot be controlled once we educate them. The Goal is for the free world, is to be farther ahead of the threat, which is becoming much more difficult.
AndrewS588
50%
50%
AndrewS588,
User Rank: Apprentice
9/9/2013 | 10:07:36 AM
re: FBI Warns Of Syrian Electronic Army Hacking Threat
John Kerry = Vietnam Veterans for the FBI!
Peter King = CIA/MI6
Anonymous = NSA

Do you want to know where the Anti-War movement is?
Here it is! Stop the WAR and political repression in America!
America and OBAMA One Big WAR Machine!.

John Kerry was never in the Anti-War movement he was a government snitch informer for the government.
AndrewS588
50%
50%
AndrewS588,
User Rank: Apprentice
9/9/2013 | 10:02:07 AM
re: FBI Warns Of Syrian Electronic Army Hacking Threat
John Kerry = Vietnam Veterans for the FBI!
Peter King = CIA/MI6
Anonymous = NSA

Do you want to know where the Anti-War movement is?
Here it is! Stop the WAR and political repression in America!
America and OBAMA One Big WAR Machine!.

John Kerry was never in the Anti-War movement he was a government snitch informer for the government.
Michael Endler
50%
50%
Michael Endler,
User Rank: Apprentice
9/6/2013 | 10:37:30 PM
re: FBI Warns Of Syrian Electronic Army Hacking Threat
If Iran and/or Russian (especially) is providing assistance to the SEA, it certainly adds intrigue to all the back-and-forth sniping at the G20 meeting this week.
StevenJ13
50%
50%
StevenJ13,
User Rank: Apprentice
9/6/2013 | 5:32:42 PM
re: FBI Warns Of Syrian Electronic Army Hacking Threat
I think Adam Myers needs to have a little outside influence to learn how this works. At the end of the day these are phishing attacks. Mobile apps? If people knew how insecure these things are or what information they send to companies they wouldn't use them.
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading December Tech Digest
Experts weigh in on the pros and cons of end-user security training.
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-5314
Published: 2014-11-23
Buffer overflow in Cybozu Office 9 and 10 before 10.1.0, Mailwise 4 and 5 before 5.1.4, and Dezie 8 before 8.1.1 allows remote authenticated users to execute arbitrary code via e-mail messages.

CVE-2014-5325
Published: 2014-11-23
The (1) DOMConverter, (2) JDOMConverter, (3) DOM4JConverter, and (4) XOMConverter functions in Direct Web Remoting (DWR) through 2.0.10 and 3.x through 3.0.RC2 allow remote attackers to read arbitrary files via DOM data containing an XML external entity declaration in conjunction with an entity refe...

CVE-2014-5326
Published: 2014-11-23
Cross-site scripting (XSS) vulnerability in Direct Web Remoting (DWR) through 2.0.10 and 3.x through 3.0.RC2 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.

CVE-2014-6477
Published: 2014-11-23
Unspecified vulnerability in the JPublisher component in Oracle Database Server 11.1.0.7, 11.2.0.3, 11.2.0.4, 12.1.0.1, and 12.1.0.2 allows remote authenticated users to affect confidentiality via unknown vectors, a different vulnerability than CVE-2014-4290, CVE-2014-4291, CVE-2014-4292, CVE-2014-4...

CVE-2014-4807
Published: 2014-11-22
Sterling Order Management in IBM Sterling Selling and Fulfillment Suite 9.3.0 before FP8 allows remote authenticated users to cause a denial of service (CPU consumption) via a '\0' character.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Now that the holiday season is about to begin both online and in stores, will this be yet another season of nonstop gifting to cybercriminals?