Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

FBI Warns Of Syrian Electronic Army Hacking Threat

Recent string of high-profile website and Twitter takedowns leads some security professionals to question whether hackers are getting help from Iran.

The Syrian Electronic Army: 9 Things We Know
(click image for larger view)
The Syrian Electronic Army: 9 Things We Know
The FBI Cyber Division has issued an alert to media outlets to beware compromise by the Syrian Electronic Army (SEA), and urged them to report any suspicious network traffic or behavior to the bureau.

The advisory recaps how the "pro-regime hacker group that emerged during Syrian anti-government protests in 2011 [...] has been compromising high-profile media outlets in an effort to spread pro-regime propaganda."

"The SEA's primary capabilities include spear-phishing, Web defacements, and hijacking social media accounts to spread propaganda," read the advisory. "Over the past several months, the SEA has been highly effective in compromising multiple high-profile media outlets."

The alert was issued following the SEA's large disruption of The New York Times website and smaller outages at Twitter and The Huffington Post U.K. That built on a string of previous defacements, including the Twitter accounts for Associated Press, BBC and Reuters, as well as Gmail accounts used by the White House media team.

[ Are recent hacks just the beginning of an escalation in cyber-warfare? Read NY Times Caught In Syrian Hacker Attack. ]

Many of those takedowns were accomplished using cheap-and-easy spear-phishing attacks, often designed to separate victims from their Google login information, which the hackers then use to seize control of Twitter feeds and send further phishing emails.

In the wake of the FBI's recent advisory, the SEA doesn't appear to be running scared. In fact, the group Friday tweeted a link to the advisory from one of its Twitter accounts.

Bravado aside, the SEA's increasingly big -- and sophisticated -- takedowns have lead some security experts to ask if the group isn't getting outside help. ''I don't think it would be unreasonable to suspect someone more skilled is helping them out,'' Adam Myers, vice president of intelligence for security firm CrowdStrike, told The Sydney Morning Herald in Australia. Notably, the group appears to have graduated from mere Twitter account takeovers to stealing details on users of video and voice app Tango, as well as the Times and Twitter takedowns, which involved exploiting a never-before-seen DNS registry.

"They've been improving [their methods] over the past couple months. I would not rule out some outside influence giving them pointers,'' said CrowdStrike's Myers. ''I think the likely candidate would be Iran.''

Other information security professionals have also noticed the SEA's increasing skills. "They exposed some world-class exposures in some world-class environments," Carl Herberger, VP of security solutions for Radware, said in a recent phone interview. "To take down The New York Times website? Pretty impressive. To expose some security problems in Twitter, even if the rest of the world didn't know they were there? Very impressive."

Has that lead to a more concerted effort by the FBI to identify and arrest the SEA's members? No doubt the bureau is working overtime to do so. But some recent press reports have sensationalized those efforts, given that the FBI has remained mum on any related investigations. For example, International Business Times reported Thursday that the FBI's advisory said that "anyone found to be aiding the SEA will be seen as terrorists actively aiding attacks against the U.S. websites." In fact, the FBI's advisory made no such claims.

Russia Today, which has an editorial slant that strongly favors the policies of President Vladimir Putin, claimed Friday that the FBI had added the SEA "to its list of wanted criminals." In reality, however, neither the SEA nor its members feature on the bureau's list of most-wanted cybercriminals.

If the bureau has identified the hackers involved in the SEA, however, the suspects should watch where they travel. Earlier this week, for example, Russia issued a travel advisory warning Russians accused of cybercrimes to beware international travel, reported Wired. The notice, issued by Russia's Foreign Ministry, warned citizens to "refrain from traveling abroad, especially to countries that have signed agreements with the U.S. on mutual extradition, if there is reasonable suspicion that U.S. law enforcement agencies" are investigating their activities. That notice was issued in the wake of the June arrest -- based on an Interpol Red Notice -- in the Dominican Republic of Russian Aleksander Panin, an alleged hacker charged in a $5 million online banking heist. Also this year, Russian national Maxim Chuhareva was arrested in Costa Rica as part of the Secret Service's Liberty Reserve crackdown.

Could some elements of the SEA now be operating from Russia? Interestingly, the SEA's servers were relocated to Russia after Network Solutions seized the group's domain names, apparently acting on a Department of Justice request. In retaliation for that embarrassing turn, the self-described teenage leader of the group, known as "Th3 Pr0" (pronounced "the pro") hacked AP's Twitter feed, issuing a bogus alert that President Obama had been injured in a bomb blast. The tweet temporarily erased $200 billion in value from the U.S. stock market.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
proberts551
50%
50%
proberts551,
User Rank: Apprentice
9/9/2013 | 1:35:11 PM
re: FBI Warns Of Syrian Electronic Army Hacking Threat
The SEA's - Train your enemies, give them Guns, Ammo, and educate them in high technology, in the United States, and other free countries, and this is what we have.
The playing field for war, electronic and otherwise is being leveled. What countries choose to do with knowledge cannot be controlled once we educate them. The Goal is for the free world, is to be farther ahead of the threat, which is becoming much more difficult.
AndrewS588
50%
50%
AndrewS588,
User Rank: Apprentice
9/9/2013 | 10:07:36 AM
re: FBI Warns Of Syrian Electronic Army Hacking Threat
John Kerry = Vietnam Veterans for the FBI!
Peter King = CIA/MI6
Anonymous = NSA

Do you want to know where the Anti-War movement is?
Here it is! Stop the WAR and political repression in America!
America and OBAMA One Big WAR Machine!.

John Kerry was never in the Anti-War movement he was a government snitch informer for the government.
AndrewS588
50%
50%
AndrewS588,
User Rank: Apprentice
9/9/2013 | 10:02:07 AM
re: FBI Warns Of Syrian Electronic Army Hacking Threat
John Kerry = Vietnam Veterans for the FBI!
Peter King = CIA/MI6
Anonymous = NSA

Do you want to know where the Anti-War movement is?
Here it is! Stop the WAR and political repression in America!
America and OBAMA One Big WAR Machine!.

John Kerry was never in the Anti-War movement he was a government snitch informer for the government.
Michael Endler
50%
50%
Michael Endler,
User Rank: Apprentice
9/6/2013 | 10:37:30 PM
re: FBI Warns Of Syrian Electronic Army Hacking Threat
If Iran and/or Russian (especially) is providing assistance to the SEA, it certainly adds intrigue to all the back-and-forth sniping at the G20 meeting this week.
StevenJ13
50%
50%
StevenJ13,
User Rank: Apprentice
9/6/2013 | 5:32:42 PM
re: FBI Warns Of Syrian Electronic Army Hacking Threat
I think Adam Myers needs to have a little outside influence to learn how this works. At the end of the day these are phishing attacks. Mobile apps? If people knew how insecure these things are or what information they send to companies they wouldn't use them.
7 Truths About BEC Scams
Ericka Chickowski, Contributing Writer,  6/13/2019
DNS Firewalls Could Prevent Billions in Losses to Cybercrime
Curtis Franklin Jr., Senior Editor at Dark Reading,  6/13/2019
Can Your Patching Strategy Keep Up with the Demands of Open Source?
Tim Mackey, Principal Security Strategist, CyRC, at Synopsys,  6/18/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Building and Managing an IT Security Operations Program
As cyber threats grow, many organizations are building security operations centers (SOCs) to improve their defenses. In this Tech Digest you will learn tips on how to get the most out of a SOC in your organization - and what to do if you can't afford to build one.
Flash Poll
The State of IT Operations and Cybersecurity Operations
The State of IT Operations and Cybersecurity Operations
Your enterprise's cyber risk may depend upon the relationship between the IT team and the security team. Heres some insight on what's working and what isn't in the data center.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-12881
PUBLISHED: 2019-06-18
i915_gem_userptr_get_pages in drivers/gpu/drm/i915/i915_gem_userptr.c in the Linux kernel 4.15.0 on Ubuntu 18.04.2 allows local users to cause a denial of service (NULL pointer dereference and BUG) or possibly have unspecified other impact via crafted ioctl calls to /dev/dri/card0.
CVE-2019-3953
PUBLISHED: 2019-06-18
Stack-based buffer overflow in Advantech WebAccess/SCADA 8.4.0 allows a remote, unauthenticated attacker to execute arbitrary code by sending a crafted IOCTL 10012 RPC call.
CVE-2019-12133
PUBLISHED: 2019-06-18
Multiple Zoho ManageEngine products suffer from local privilege escalation due to improper permissions for the %SYSTEMDRIVE%\ManageEngine directory and its sub-folders. Moreover, the services associated with said products try to execute binaries such as sc.exe from the current directory upon system ...
CVE-2019-12592
PUBLISHED: 2019-06-18
A universal Cross-site scripting (UXSS) vulnerability in the Evernote Web Clipper extension before 7.11.1 for Chrome allows remote attackers to run arbitrary web script or HTML in the context of any loaded 3rd-party IFrame.
CVE-2017-8328
PUBLISHED: 2019-06-18
An issue was discovered on Securifi Almond, Almond+, and Almond 2015 devices with firmware AL-R096. The device provides a user with the capability of changing the administrative password for the web management interface. It seems that the device does not implement any cross site request forgery prot...