Recent string of high-profile website and Twitter takedowns leads some security professionals to question whether hackers are getting help from Iran.

Mathew J. Schwartz, Contributor

September 6, 2013

4 Min Read

The Syrian Electronic Army: 9 Things We Know

The Syrian Electronic Army: 9 Things We Know

(click image for larger view)
The Syrian Electronic Army: 9 Things We Know

The FBI Cyber Division has issued an alert to media outlets to beware compromise by the Syrian Electronic Army (SEA), and urged them to report any suspicious network traffic or behavior to the bureau.

The advisory recaps how the "pro-regime hacker group that emerged during Syrian anti-government protests in 2011 [...] has been compromising high-profile media outlets in an effort to spread pro-regime propaganda."

"The SEA's primary capabilities include spear-phishing, Web defacements, and hijacking social media accounts to spread propaganda," read the advisory. "Over the past several months, the SEA has been highly effective in compromising multiple high-profile media outlets."

The alert was issued following the SEA's large disruption of The New York Times website and smaller outages at Twitter and The Huffington Post U.K. That built on a string of previous defacements, including the Twitter accounts for Associated Press, BBC and Reuters, as well as Gmail accounts used by the White House media team.

[ Are recent hacks just the beginning of an escalation in cyber-warfare? Read NY Times Caught In Syrian Hacker Attack. ]

Many of those takedowns were accomplished using cheap-and-easy spear-phishing attacks, often designed to separate victims from their Google login information, which the hackers then use to seize control of Twitter feeds and send further phishing emails.

In the wake of the FBI's recent advisory, the SEA doesn't appear to be running scared. In fact, the group Friday tweeted a link to the advisory from one of its Twitter accounts.

Bravado aside, the SEA's increasingly big -- and sophisticated -- takedowns have lead some security experts to ask if the group isn't getting outside help. ''I don't think it would be unreasonable to suspect someone more skilled is helping them out,'' Adam Myers, vice president of intelligence for security firm CrowdStrike, told The Sydney Morning Herald in Australia. Notably, the group appears to have graduated from mere Twitter account takeovers to stealing details on users of video and voice app Tango, as well as the Times and Twitter takedowns, which involved exploiting a never-before-seen DNS registry.

"They've been improving [their methods] over the past couple months. I would not rule out some outside influence giving them pointers,'' said CrowdStrike's Myers. ''I think the likely candidate would be Iran.''

Other information security professionals have also noticed the SEA's increasing skills. "They exposed some world-class exposures in some world-class environments," Carl Herberger, VP of security solutions for Radware, said in a recent phone interview. "To take down The New York Times website? Pretty impressive. To expose some security problems in Twitter, even if the rest of the world didn't know they were there? Very impressive."

Has that lead to a more concerted effort by the FBI to identify and arrest the SEA's members? No doubt the bureau is working overtime to do so. But some recent press reports have sensationalized those efforts, given that the FBI has remained mum on any related investigations. For example, International Business Times reported Thursday that the FBI's advisory said that "anyone found to be aiding the SEA will be seen as terrorists actively aiding attacks against the U.S. websites." In fact, the FBI's advisory made no such claims.

Russia Today, which has an editorial slant that strongly favors the policies of President Vladimir Putin, claimed Friday that the FBI had added the SEA "to its list of wanted criminals." In reality, however, neither the SEA nor its members feature on the bureau's list of most-wanted cybercriminals.

If the bureau has identified the hackers involved in the SEA, however, the suspects should watch where they travel. Earlier this week, for example, Russia issued a travel advisory warning Russians accused of cybercrimes to beware international travel, reported Wired. The notice, issued by Russia's Foreign Ministry, warned citizens to "refrain from traveling abroad, especially to countries that have signed agreements with the U.S. on mutual extradition, if there is reasonable suspicion that U.S. law enforcement agencies" are investigating their activities. That notice was issued in the wake of the June arrest -- based on an Interpol Red Notice -- in the Dominican Republic of Russian Aleksander Panin, an alleged hacker charged in a $5 million online banking heist. Also this year, Russian national Maxim Chuhareva was arrested in Costa Rica as part of the Secret Service's Liberty Reserve crackdown.

Could some elements of the SEA now be operating from Russia? Interestingly, the SEA's servers were relocated to Russia after Network Solutions seized the group's domain names, apparently acting on a Department of Justice request. In retaliation for that embarrassing turn, the self-described teenage leader of the group, known as "Th3 Pr0" (pronounced "the pro") hacked AP's Twitter feed, issuing a bogus alert that President Obama had been injured in a bomb blast. The tweet temporarily erased $200 billion in value from the U.S. stock market.

About the Author(s)

Mathew J. Schwartz


Mathew Schwartz served as the InformationWeek information security reporter from 2010 until mid-2014.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like

More Insights