Understanding the Syrian Electronic Army (SEA)

 

After successfully hacking NPR, CBS and the Associated Press, people want to know more about the Syrian Electronic Army. Are they real? How can anyone cause the Dow to drop 150 points with a single tweet?

 

The Syrian Electronic Army (SEA) is a team of hacktivists based in Syria that claim to operate independently in support of Syrian President Bashar al-Assad.

 

According to the SEA website, Syrians loyal to President Assad founded the SEA in 2011 during the Arab Spring. Since inception, the SEA has waged a campaign with two operational elements. First, they have attacked opponents of President Assad. Second, they have hacked regional and global news media outlets and various social media accounts to distribute propaganda in the form of false news stories that support President Assad.

 

The stated mission of the SEA is to unleash an onslaught of pro-government propaganda in support of the Assad regime. The SEA claims to support the cause of the Syrian people by promoting their views over the stated, “western media that are broadcasting fabricated and false news about what is happening in Syria.” President Assad has publicly supported the group’s efforts, stating that they are a “real army in a virtual reality.”

 

Recently, the SEA has been touted in underground circles as one of the top 10 most skilled hacking teams in the world. Tactics commonly used by the group include phishing, website hacking, and compromising Facebook and Twitter accounts. Harvard University, a victim of the SEA, stated that a “sophisticated individual or group” is behind the attacks of the SEA.

 

The SEA has hacked soft targets in both their region and abroad, primarily defacing web sites. The organization has also hacked social media accounts, mostly belonging to news media organizations, and used these accounts to spread their pro-Assad messages and misinformation. In addition to leveraging social media, this group has uniquely created their own Android App for members. In addition, they spread malware and distribute DDoS attack tools.

 

In many cases, the SEA carries out their attacks in a manner that is difficult to detect. Research data show that the average breach goes undetected for 243 days and 63% are discovered by third parties. During the timeframe that a breach of a news organization goes undetected, the stories can be picked up by other news organizations, further spreading misinformation.

 

 

Web Presence

The SEA has a significant web presence.  The group uses their website to coordinate group membership and report on operations that have been carried out. The SEA runs two leak sites where they dump information from various hacks.  One is included on their primary website and the second separate site discloses leaks related to Qatar. The primary leak site was launched January 23, 2013.

 

The main SEA website is used to publish articles about SEA operations and leak stolen information.  The organization’s Twitter posts often link back to this site. There are Arabic and English language versions of the site. The domains syrian-es.com, syrian-es.org, and syrian-es.net all pointed to this site until April 11, 2013 when the site became unreachable via these domain names. The SEA announced on Twitter that Network Solutions disabled the domains and that the site was not hacked. They announced a new domain (syrianelectronicarmy.com) that now points to the website.

 

sea statement

Figure 1 Official_SEA Statement On Website Issue

 

This new domain was registered on February 24, 2013 with Name.com.  The new domain resolves to the same IP address as the prior domains. The leak domain qatar-leaks.com is registered with the same registrar.

 

whois

Figure 2 Syrian-es.org Domain Registration 4/11/13

 

Current domain registration information for syrian-es.com, syrian-es.org, and syrian-es.net shows that the current registrant is OFAC Holding. OFAC is the Treasury Department Office of Foreign Assets Control under their Office of Terrorism and Financial Intelligence

  

The SEA site was taken town due to the U.S. Government seizing their domains. The SEA tweeted with a broken link to an article April 16, 2013. Ironically, the link is broken because it points to the old domain.

 

statement tweet

Figure 3 SEA Website Tweet about Domain Seizure

 

Figure 4 shows the SEA's posting stating that the domains were seized by the U.S. Government due to sanctions against Syria.

 

statement from sea

Figure 4 SEA Article on Domain Seizure

 

 

Android Application

The SEA has created an Android application for their members.  The application is simply a viewer for the stories the SEA posts on their website. There are no Arabic/English language options for the application.  The application itself is in English, but the articles are in Arabic.  It functions as little more than its own RSS reader.

 

Figure 5 SEA Android App

android app 1android app 2As with all applications from a source such as this,  HPSR recommends organizations block this application.  The application is not available in the Google Play Store and must be downloaded from http://www.mediafire.com/?bwcpeov5uivzhxl. The SEA Android application was hard coded to point to the syrian-es.org domain and has not been updated to point to the new domain syrianelectronicarmy.com. As of April 17, 2013 the application is broken due to this domain change.

 

 

Social Media Presence 

Similar to many other hacktivist groups, the SEA has widely leveraged social media to communicate with members as well as the general public.  The primary communication channel for the SEA has been Twitter. Many of their tweets are related to postings on their website regarding completed operations. 

 

 

The Syrian government reportedly tasked the SEA with a surveillance campaign targeting the Facebook pages of dissidents. This monitoring reportedly resulted in the arrests of those in opposition to Assad by the Syrian government.

 

The SEA Twitter account, @Official_Sea, has more than 10,000 followers.  As the SEA has increased their activity, their Twitter account activity and followers have both increased accordingly.

 

twitter activity

Figure 6 @Official_SEA Twitter Mentions 1/1/11 to 3/27/13

 

 

Social Media Accounts

The SEA maintains an online presence at these sites:

 

https://twitter.com/Official_SEA6-The SEA Twitter account has been shut down by Twitter several times. To date the standard practice has been for the SEA to increment the end number by one each time a new account is created.

https://twitter.com/SEA_Leaks- Leaks published here

https://www.youtube.com/syrianes0

https://www.youtube.com/syrianes1

https:/www.facebook.com/SEA.P.204 - The SEA Facebook page is shut down by Facebook on a regular basis.  To date the standard practice has been for the SEA to increment the end number by one each time a new page is created. The latest page received over 8,000 likes within a week of creation.

http://instagram.com/official_sea

http://twicsy.com/u/Official_SEA

 

 

High Profile Events

The following is a list of high-profile events attributed to the SEA:

 

     UCLA website defaced, July 2011

 

     AnonPlus website defaced, August 2011

 

     Harvard website defaced by Th3 Pro, September 2011

 

     Al Arabiya Facebook page hacked by Th3 Pro, March 26, 2012

 

     LinkedIn blog hacked April 26, 2012

 

     21 American websites defaced by Syrian Wolf

        http://123mortgageadvice.org/

        http://123acne-blog.net/

        http://1datinginfo.net/

        http://1fitness-blog.net/

        http://babysitting-blog.org/

        http://bettingfreetricks.com/

        http://breastenlargementinfo.net/

        http://carloanadvice.org/

        http://cashmoneyblackjack.com/

        http://cellulite-guide.org/

        http://cigars-blog.net/

        http://creditrepair-guide.com/

        http://creditrepair-guide.org/

        http://debtconsolidation-guide.net

        http://danddbroadcasting.com/

        http://detox-blog.com/

        http://earnprofitsguide.com/

        http://easycashonlineroulette.com/

        http://femalelibido-guide.org/

        http://gamblingforrealcash.com/

        http://genitalwartsblog.net/

 

     Reuters Twitter account hacked, August 5, 2012

 

     Al-Jazeera English website defaced, January 29, 2013

 

     Sky News Arabia Twitter account hacked, February 7, 2013

 

     Sky News Arabia Facebook page hacked, February 9, 2013 

 

     Sky News Arabia email and password leaked, February 12, 2013

 

     Al-Jazeera email leaked by Th3 Pro, February 24, 2013

 

     Qatar Foundation Facebook and Twitter accounts hacked, March 1, 2013

 

     France24 Twitter account and website hacked March 5, 2013

 

     Qatar Foreign Ministry document leaked, March 13, 2013

 

     Deutsche Welle Arabic Twitter account hacked, March 15, 2013

 

     Human Rights Watch website and Twitter account hacked, March 17, 2013

 

     BBC Weather and Arabic Twitter accounts hacked March 21, 2013

 

     NPR websites and Twitter accounts hacked April 15, 2013

 

     CBS @60Minutes, @48Hours, and @CBSDenver Twitter accounts hacked April 20, 2013

 

     FIFA Twitter accounts hacked April 22, 2013

 

     Associated Press @AP and @AP_mobile Twitter accounts hacked April 23, 2013

 

The SEA's has been very active in 2013. Some of the most recent attacks are discussed below:

 

BBCTwitter Accounts Compromised

     @BBCWeather

     @BBCArabicOnline 

     @BBCRadioUlster

 

The SEA made this statement to explain its motivations for the attack: “The Syrian Electronic Army Hacked Today BBC Network accounts on Twitter. And that came in response to what BBC practiced of lies and fabrication of news and in addition to the bias to the bloody opposition.”  The SEA claims to have published correct information on the compromised Twitter accounts rather than misinformation.

 

In the weeks following the BCC Twitter hack, the SEA also took over the Twitter accounts for NPR, CBS, and the Associated Press.

 

Tweets sent from @60Minutes (owned by CBS) after being taken over by the SEA include:

 

     "The US government is sponsoring a coup in Venezuela and a terrorist war in Syria"

     "Obama wants to destroy the Syrian and American people. We must stop this beast"

 

Tweets sent from @AP after being taken over by the SEA include:

 

     “Breaking: Two Explosions in the White House and Barack Obama is injured.”

 

The Associated Press Twitter accounts were locked down and then shut down temporarily.

ap down

Figure 7 Associated Press Twitter Hack

 

Each of these tweets was misinformation. The impact of the @AP tweet in particular was felt in real life. The US stock markets saw a drop on the false news of a White House bombing, with the Dow Jones Industrial Average dropping 150 points. CNBC reported the sudden drop.

 

dow drop                                   

Figure 8 Dow Jones Industrial Average Impact from Tweet

 

The Associated Press reported that the Twitter account breach was preceded by phishing attacks. AP reporter Mike Baker tweeted shortly after the @AP Twitter account was suspended explaining that he and other journalist had been targeted with phishing attacks.

 

Tactics

The SEA is somewhat unique because of the combination of the tactics used in support of their pro-Assad agenda. Past actions by the SEA have leveraged the following techniques:

 

Fake Social Media Sites

The SEA has setup fake Facebook and YouTube sites in an attempt to collect login credentials and spread malware. When an account has been compromised, it is used to collect information on the user and to distribute pro-Assad messages. For Syrians participating in anti-Assad protest movements this can be dangerous, as it has been alleged that the SEA turns information on these individuals over to the government.

 

Targeted Malware Attacks

The SEA completed targeted attacks during summer 2012 that used Skype to distribute DarkComet RAT malware to Syrian opposition. The malware masqueraded as a Skype encryption application. This tool was used to track the IP, location, and personal information of dissidents.  The information collected on the dissident was then sent to an IP address located in Damascus, Syria owned by the Syrian Telecommunications Establishment (216.6.0.28). A website hosted at the same IP address also served a tool called AntiHacker, which was purported a tool to defend against hackers for the opposition, but was  in fact DarkComet. The EFF reported that during the Syrian Internet shutdown in November 2012, this IP address was one of the few still reachable in the Syrian IP address space.  This IP address no longer appears to be hosting this malware.  PDF files that appear to be lists of opposition members have also been distributed, but they too actually installed the malware in the background. Once the creator of DarkComet learned of the use by the Syrian government, development and the distribution sites were shut down.

 

Blackshares Remote Controller, a commercial tool, has also been used by the SEA. Similar to the fake social media sites, these tools are used to collect information on the individual by accessing the user’s local PC.

 

DDoS Attacks

The first SEA Facebook pages made software available to members that can be used to launch distributed-denial-of-service (DDoS) attacks. One such example is “Bunder F**ker 1.0”, a tool that the SEA created and distributed that targeted the following sites:

 

     Al-Jazeera www.aljazeera.net

     BBC www.bbc.co.uk

     Orient News www.orient-tv.net

     Al Arabia www.alarabiya.net

 

DDoS attacks have only been used by the SEA in a limited capacity. This is likely due to the fact that they are not protesting, as typical hacktivist groups do, but instead, are spreading propaganda. When a website is unavailable, even if it is in opposition to the SEA, the SEA’s propaganda cannot be spread.

 

Defacement Attacks Against Syrian Opposition Websites

The SEA has attacked websites of individuals and organizations who oppose Assad. As Helmi Noman reported, “the SEA has claimed responsibility for hacking the web forum news.syriaforums.net because it spreads fabricated video clips of anti-regime protests in Syria.”

 

It is believed the SEA uses Havij, an automated SQL Injection exploit tool, to compromise websites.  SQL Injection is the leading attack vector for compromising websites.

 

Defacement Attacks Against Western Websites

The SEA has targeted Western organizations’ websites and social media accounts, primarily those of news organizations reporting on the protests in Syria against Assad. Other soft targets have also been targeted and their websites were defaced with pro-Assad messages.  We believe these soft targets were attacked due to their lack of defense rather than any related political reason.

 

Spamming Popular Facebook Pages with Pro-regime Comments

The SEA ran an operation that spammed popular Facebook pages, such as those of President Obama and Oprah Winfrey. The group posted comments with pro-Assad messages and links to other propaganda on the compromised pages.

 

Hacking Twitter and Facebook Accounts

The SEA has hacked Twitter and Facebook accounts of popular organizations and used them to spread its messages including links to pro-Assad propaganda. For example, the SEA recently took over two twitter handles owned by France24 and posted links. There is some evidence that these accounts are taken over as part of phishing attacks.

 

Leaking of Sensitive Information

The SEA maintains two sites for posting the leaked information collected from hacking into websites and internal systems. These sites were used to leak confidential information from Turkey, Qatar, and Saudi Arabia.

 

http://leaks.syrianelectronicarmy.com /en/site/index

leak1

Figure 9 SEA Leak Website

 

http://qatar-leaks.com/en/site/about

 leak 2

Figure 10 SEA Leak Website Focused on Qatar

 

 

HP Security Research (HPSR) Recommendations 

For the SEA’s primary targets, which include media outlets and any group that could support Western values, HPSR recommends the following tactics:

 

     Monitor corporate Facebook pages for spam comments.

 

     Monitor Facebook and Twitter accounts for compromise.

 

     Enforce strong passwords.

 

     Be particularly vigilant to monitor for phishing attacks.

 

     Maintain unique passwords for each social media site. Avoid re-using passwords.

 

     Monitor your infrastructure for DDOS and SQL injection.

 

     Monitor your corporate web sites for any out-of-process changes.

 

     If you live within a region controlled by the Syrian government, take care when using social media sites.

     Be aware that you may be using a fake site. Double check the domain and URL for accuracy. If your

     experience with the site seems to be abnormal - such as advertisements appear out of the ordinary or

     your friend lists look different – avoid from posting any information until you can verify that the site is real. 

Leave a Comment

We encourage you to share your comments on this post. Comments are moderated and will be reviewed
and posted as promptly as possible during regular business hours

To ensure your comment is published, be sure to follow the Community Guidelines.

Be sure to enter a unique name. You can't reuse a name that's already in use.
Be sure to enter a unique email address. You can't reuse an email address that's already in use.
Type the characters you see in the picture above.Type the words you hear.
Search
Showing results for 
Search instead for 
Do you mean 
About the Author
Featured


Follow Us
The opinions expressed above are the personal opinions of the authors, not of HP. By using this site, you accept the Terms of Use and Rules of Participation.