Security Alert: Syrian Electronic Army - Response to Western Intervention in Syrian Civil War
In light of the recent news about additional chemical weapons attacks on the Syrian populace - allegedly performed by Bashar al-Assad’s Baathist regime - tensions in the Middle East and around the world are heightened and the U.S. is considering a potential retaliatory response. It is assessed with high confidence that a cyber-response will be forthcoming from the Syrian Electronic Army (SEA) and other possible nation-state sponsored groups.
Several news and intelligence agencies have reported that the Assad regime launched a chemical weapons attack on the suburbs outside of Damascus last week. According to U.K. Prime Minister David Cameron, U.K. intelligence reports that the Syrian government has used chemical weapons on at least 14 previous occasions. It appears that any kind of Western intervention in Syria would resemble support given to Libyan resistant forces in 2011, which consisted of material support, an implemented no-fly zone and strategic air support. Main targets for air or missile strikes could be Air Defense systems and Command and Control (C2) systems. If Western allies respond in this manner, the Syrian regime will have limited capabilities for retaliation, outside of attacks on U.S. ally Israel. Outside of a Syrian response, Iranian officials have vowed to respond in kind towards Israel and other U.S and/or Western interests in the area.
Syrian Electronic Army: Background
The SEA was first seen in April 2011 on the social networking site Facebook and launched its website in May of that year stating that it had no official ties with the Syrian government, with credibility to this statement given in a report by the Information Warfare Monitor. If there are no official ties to the al-Assad regime, the SEA can be categorized as a “hacktivist” organization. However, al-Assad has publicly praised the efforts of the SEA.
Syrian Electronic Army: Activities
At its inception, the SEA focused on website defacement attacks against Western targets and spamming campaigns with pro-regime propaganda. Most recently, the SEA has taken responsibility for hijacking the websites of both The New York Times and The Washington Post. Other notable attacks attributed to the SEA recently include:
- 23 April 2013: The SEA hijacked the Associated Press Twitter account and falsely claimed the White House had been bombed and President Barack Obama injured.
- May 2013: The Twitter account of The Onion was compromised by the SEA by phishing Google Apps accounts of The Onion's employees.
- 24 May 2013: The ITV News London Twitter account was hacked by the SEA. The Android applications of British Broadcaster Sky News were also hacked on 26 May 2013 via the Google Play Store.
- 17 July 2013: Truecaller servers were allegedly hacked into by the SEA. On its Twitter handle, the group claimed to have recovered 459 GiBs of database by exploiting an older version of Wordpress installed on the servers. The hackers also released TrueCaller's alleged database host ID, username and password via another tweet.
- 23 July 2013: The SEA allegedly hacked into Viber servers. The Viber support website was replaced with a message and a supposed screenshot of data that was obtained during the intrusion.
- 15 August 2013: Advertising service Outbrain was hacked by the SEA via a spearphishing attack. This allowed them to place redirects into the websites of The Washington Post, Time and CNN.
- 27 August 2013: NYTimes.com has its DNS redirected to a page that displays the message "Hacked by SEA," and Twitter's domain registrar was changed.
- 28 August 2013: Twitter had its DNS registration hacked to show the SEA as its Admin and Tech contacts. Some users reported that the site's CSS had been compromised.
- 02 September 2013: The official site for the U.S. Marine was hacked to display Facebook photos of military members holding signs against military action on Syria.
Since its early days of website defacement, the SEA has been utilizing phishing attacks against its victims to gain account credentials to hijack websites, and for the latest round of attacks against The New York Times, Twitter and others, they have reportedly used vulnerabilities in DNS to re-route internet traffic to SEA-controlled sites.
Syrian Electronic Army: Indicators
FishNet Security, Inc. recommends that security professionals implement monitoring or blocking of the following known historic indicators for the SEA:
Allegiance with Iran:
Iran has historically backed several anti-West groups, most notably Palestinian and Lebanese terrorist organizations. Additionally, financial and material support of groups actively engaged in combat against the U.S. has been seen, both in Iraq and Afghanistan. This support, specifically in Iraq, was seen in the use of advanced improvised explosive devices (IEDs), such as explosively formed projectiles (EFP).
If the U.S. or Western allies were to intervene in a military way, the response from the SEA would, we assess with moderate confidence, be assisted by cyber-attacks against Western targets from Iran. However, it is assessed with high confidence that the SEA and computer network operations teams in Iran will not be working in conjunction.
Syrian Electronic Army Targets:
Based on historical attack patterns that have been analyzed since the founding of the SEA, organizations that should be on alert include those in the media, regardless of the size of the organization, and financial and industrial institutions. We assess with moderate confidence that the SEA does not have the skills or capabilities to actively or successfully compromise U.S. critical infrastructure but cannot assess the current capabilities of Iranian forces.
Organizations in the above categories should enhance their security posture in the event of U.S. or Western intervention in the Syrian conflict through user awareness and training related to phishing and spamming attacks. Additionally, information technology sections in these organizations should perform vulnerability assessments on public facing websites to prevent and/or combat website defacement, SQL injection and cross-site scripting (XSS) attacks.
FishNet Security assesses with high confidence that the SEA will continue to target media outlets that report on the current situation in Syria, especially in the near term as the U.S. administration debates its involvement in the ongoing conflict.
Information contained in this report was collected by means of open source research. The report does not utilize actual U.S. Government intelligence data and does not report actual knowledge of any courses of action already undertaken or planned by the United States or the United Kingdom. The information was gathered and analyzed with the intent of developing preventative measures should events such as those described in the report actually occur. FishNet Security, Inc. is not connected with any government organization and is not charged with the safekeeping of any government classified information. The analysis contained within this report along with its conclusions and recommendations are solely those of the authors.
FishNet Security’s Global Threat Intelligence Center
FishNet Security’s Global Threat Intelligence Center (gTIC) is a team of researchers, analysts and engineers focused on providing you with actionable intelligence you can use to stay protected from the latest security threats. Our goal is to assist our clients’ organizations in combating the latest threats and attacks more efficiently and to provide guidance on the potential threats of tomorrow.
 World must act to stop Syria's chemical weapons use, Cameron says. CNN: http://www.cnn.com/2013/08/29/world/europe/syria-civil-war/index.html
 Iran commander: US strike on Syria will mean the 'imminent destruction' of Israel: http://www.jpost.com/Middle-East/Iran-commander-US-strike-on-Syria-will-mean-the-imminent-destruction-of-Israel-324680
 Speech by Bashar al-Assad: http://www.al-bab.com/arab/docs/syria/bashar_assad_speech_110620.htm
 Syrian group cited as New York Times outage continues: http://www.cnn.com/2013/08/27/tech/web/new-york-times-website-attack/index.html?iref=mpstoryview
 How the Syrian Electronic Army took out the New York Times and Twitter sites: http://www.zdnet.com/how-the-syrian-electronic-army-took-out-the-new-york-times-and-twitter-sites-7000019989/
 Iran’s Support for Terrorism in the Middle East: http://www.brookings.edu/research/testimony/2012/07/25-iran-terrorism-byman
 U.S. blames Iran for new bombs in Iraq: http://usatoday30.usatoday.com/news/world/iraq/2007-01-30-ied-iran_x.htm