How Did Syria's Hacker Army Suddenly Get So Good?

By Shane Harris

At first glance, they may seem just like pro-Assad thugs and online vandals, commandeering Web sites in the name of their favorite dictator. But the hacker group known as the Syrian Electronic Army is getting more ambitious and sophisticated, say experts who've looked closely at the tactics underlying their attacks. The hackers may even be receiving outside help from more skilled and dangerous groups - or even from governments.

The SEA has been around since 2011, and so far has been known mostly for relatively simple acts of vandalism like Web site defacements. (Most recently, the group grabbed international attention after commandeering the Web sites of the New York Times, the Washington Post, and yesterday the recruitment Web site for the U.S. Marine Corps.) But in the spring of this year, the group started to up its game. It went after bigger targets, like when it hijacked the Twitter feed of the the Associated Press and sent out a false report about a bombing at the White House. But it also hacked into Web based communications services used by Syrian rebels to avoid detection by the regime. The goal presumably wasn't to vandalize those sites, but to gather information about the rebels who were using them.

As the SEA's ambition has grown, so has its skill level. The attack on the New York Times effectively gave the group control of the entire Web site. It was accomplished not by a frontal assault, but by changing information in the Domain Name System databases via a company in Australia. Anyone who tried to visit the Times Web site was redirected to another site under the SEA's control, sporting its logo. Not exactly high-end tradecraft, but not the work of simple vandals, either, which is what the SEA has long been known for.

"The [SEA] apparently uses low-level tactics to compromise websites and Twitter accounts, but they should not be underestimated," says Helmi Noman, the senior researcher at  Citizen Lab, a research group at the University of Toronto that studies hacker networks. "They should not be evaluated based on their level of sophistication, but rather on the potential damage they can cause with unauthorized access to websites."

So how did the SEA get better in only a few months?

"I don't think it would be unreasonable to suspect someone more skilled is helping them out," says Adam Myers, the Vice President of Intelligence for CrowdStrike, a computer security company. In the attacks on the Times, Twitter, and communications services such as Tango, a popular video and text messaging applications, and Viber, which lets users make free phone calls via the Internet,the SEA got access to accounts as well as to other data in the companies' systems.

"That would indicate that they're been improving [their methods] over the past couple months. I would not rule out some outside influence giving them pointers," Myers says. "I think the likely candidates would be Iran."

If Iranian forces have joined forces with the SEA, that could be a problem for the United States. Iranian hackers have already demonstrated their prowess, and they don't limit themselves to single Web site attacks and propaganda campaigns. Last year, an operation that erased data on tens of thousands of computers at the oil company Saudi Aramco, as well as a massive denial of service attack on the Web sites of U.S. banks, which were both attributed to Iran, sent waves of panic throughout U.S. intelligence and law enforcement agencies.

What's known about the SEA's members has come in large part from journalists, as well as other hackers. Last week, the hacker group Anonymous, probably the best known in the world, released information it stole from an SEA server. The Anonymous intrusion helped to confirm some details about how the group works; for instance, it is apparently not officially alligned with the Assad regime, but is comprised of supporters who may receive some backing from the government. But Anonymous also showed that the SEA is not impervious. The hacker collective claimed to release informaiton about the SEA's core members, including their personal e-mails and passwords for their accounts. The SEA claims their systems were never breached, and that reports identifying their members are erroneous. 

Regardless of who is running the SEA, officials in the United States are preparing for a retaliatory strike in cyberspace by forces allied with the Syrian regime. In anticipation of those strikes, the FBI is more closely monitoring Syrians inside the United States and is warning companies and government agencies to brace for possible cyber strikes. U.S. intelligence agencies are also monitoring potential Syrian cyber attacks and keeping lawmakers informed, according to a congressional staffer.

Would the SEA be the likely group to carry out those attacks? Possibly. But they're not the only force available.

Syria has become a digital battlefield for a range of malicious actors, including pro-regime spies and propagandists, says Rafal Rohozinski, the CEO of SecDev Group, which monitors communications activity in Syria. The SEA has not made any great technological leaps or advances in tradecraft, he argues, but they have become more "deliberative and strategic" in how they work. They're taking the time to select more valuable targets that will give them the  most bang for their buck.

And in that sense, the SEA's evolution reflects the broader hacker landscape. In June, Citizen Lab published a report on two operations conducted by what it called "pro-government electronic actors," which were narrowly targeted to trick opposition members into installing spyware on their computers. Unlike the SEA's high-profile, public Web site defacements, these attacks were designed to go unnoticed.

In one operation, the group sent electronic messages to rebels posing as someone they knew or were likely to know. These messages encouraging victims to download a communications technology called Freegate which was designed to help dissidents circumvent state surveillance agencies. The program was actually a piece of malware that lets the intruder monitor what the infected user is typing on his computer, and also to read and remove his files. In other words, pro-Assad hackers used the fear of Assad's spies to start snooping on dissidents. Clever.

In the second operation, victims were sent messages encouraging them to click on a link to a sermon by a pro-opposition cleric. When they did so, it activated a program that effectively put the user's computer under the hacker's control.

This kind of targeted, tailored hacking was useful for gathering intelligence on the location of rebels and their allies, and then killing or capturing them, Rohozinski says. The attacks have fallen off in recent months, he added, as the intensity of the physical fight in Syria has increased. Perhaps the regime doesn't need to spy on rebels when it can kill them with poison gas.

If there is a retaliatory cyber strike against the United States -- and experts sound increasingly convinced there will be one -- it could come from any number of sources, inside or outside the country. The SEA may be the most well-known of the Syrian hacker armies, but maybe not for long.