Inside the Syrian Electronic Army

How a group of pro-Assad hackers tricked major news outlets. Here's what you can do to stop them.

May 25, 2018 5:00 am
Logo of the Syrian Electronic Army (Wikipedia)
Logo of the Syrian Electronic Army (Wikipedia)

In April 2013 the world was momentarily stunned to read a tweet from The Associated Press that said an explosion had occurred at the White House and that then-President Barack Obama was injured. Amid the confusion that followed, the stock market was shaken enough to take a tumble.

But none of it was true. The AP’s Twitter account had been hijacked by an organization calling itself the Syrian Electronic Army, a group of pro-Assad regime hackers who the U.S. says embarked on an online vandalism campaign starting in 2011 that targeted several major news outlets, educational institutions, the U.S. Marines, the White House itself and “scores” of others, including, of all things, the satirical news website The Onion. When successful, for a brief time the hackers were able to deface or otherwise disrupt the websites of several of their targets.

A few months after the AP tweet, I interviewed by email a purported member of the group who called himself SEA The Shadow. He said SEA was punishing news outlets who lied about what was going on in the Syrian civil war and then threatened more destructive cyberattacks targeting the U.S. economy, should the U.S. launch airstrikes there.

This two-picture combo of wanted posters provided by the FBI shows Ahmed al-Agha, left, and Firas Dardar. The Justice Department has indicted current or former members of the Syrian Electronic Army for computer hacking-related conspiracies. Prosecutors allege that 22-year-old Agha and 27-year-old Dardar used spear-phishing to steal usernames and passwords to compromise government, media, and private-sector computer systems. (FBI via AP)

Five years later court documents, including an indictment filed just last week against The Shadow — real name Firas Dardar — and an alleged co-conspirator, show that the SEA was likely full of bluster about its membership (supposedly in the “thousands”) and ultimate capabilities in cyberspace. But the group was repeatedly successful in weaseling their way into several high-profile non-governmental organizations using basic cyberattack techniques.

“The methodology they used wasn’t sophisticated at all,” Tyler Cohen Wood, a former senior official in cyber operations at the Defense Intelligence Agency, told RealClearLife, “but because they were successful. You may have to say that they were somewhat sophisticated.”

Here’s how it all worked, and how you can protect yourself from similar tactics:

A ‘Low-Level’ Tactic, But a Wide Net

As Wood said, the methods used by SEA were not very sophisticated. Their basic tactic was what’s known as spearphishing: crafting an email catered to a specific target individual in order to trick them into clicking on a malicious link or downloading malicious code.

In SEA’s case, they often fooled their targets into heading to a website that looked legitimate, but was actually controlled by the hacking group. There, the target would be asked to enter their username and password to an email or social media account, which would be duly recorded by SEA. From there it was only a matter of SEA logging into the accounts with the usernames and passwords that were just given to them.

“They didn’t try to take really difficult routes or methodologies or zero-day exploits. They just … targeted human desire to trust,” Wood said. A zero-day exploit is a hole in a system that is unknown to the owners and users of that system, meaning it’s especially rare and valuable to anyone who wants to secretly crack a system.

News outlets and journalists covering cybersecurity — this one included — tend to focus on the “sexier” cyberattacks, like those that use zero-days, exotic techniques or absurdly complex nation-state operations like Stuxnet. But Wood said it’s the “low-level” attacks that are the most prevalent and generally the most effective. (Spearphishing is reportedly what allowed hackers to steal the emails of Hillary Clinton campaign manager John Podesta.)

The trick may not work on one employee, but as Wood said, SEA “cast out a broad net.” Court documents allege SEA sent spearphishing emails to scores of employees at various news outlets and other organizations, needing only one to fall for their ruse to likely get the passwords, or see the emails, they needed.

“What’s that saying? Even a blind squirrel finds a nut every once in a while?” Wood said.

The Leap-Frogging Method

If a hacker isn’t able to directly get to the true target of an attack, they could employ, like SEA allegedly did, a leap-frogging tactic. This is where a hacker steals the credentials of a colleague or friend of the target, then logs into their system and sends an email from that account with a dangerous link. The email, of course, will look legitimate as it came from a real sender’s account.

This is how the AP got burned. Court documents say that SEA compromised an email account at the United Nations Human Rights Council and used it to contact AP employees.

“The ruse caused at least on AP employee to click on the malicious link in the email and enter his or her login credentials for the AP server into an SEA-controlled website,” the indictment says.

From there, SEA was able to nab the Twitter account password and momentarily terrify a nation.

How Not to Be Spearphished: What You Can Do

The first line of defense against a spearphishing attack are the technical cyber security tools that an organization or email service may put in place designed to filter out a bogus email before the user ever sees it.

SEA attempted to target the White House and NASA in their spearphishing campaign, but technical tools and vigilance by computer users kept them out, court documents say.

But if some get through, Wood said there are a few quick things a user can do to do a light forensic check themselves. First, if a link is in an email, users can hover over it (but do NOT click on it) and a preview of the destination URL should pop up somewhere in the browser. That will let the user see where the link is going and make sure it’s headed where it says it is.

Also, take a close look at the sender’s email address. Cyberattackers will often forge a legitimate sender’s address by subtly replacing a character, a “1” for an “l” for instance, to impersonate them.

Finally, and most importantly, trust your gut. If the word choice or grammar in the note looks off, or not in keeping with what you know about the sender, call the sender up and double check directly. This is especially important if the hacker is using the leap-frogging method and everything else appears to check out.

“It’s a combination of really knowing some of those sorts of tips and tricks,” Wood said. “You don’t have to be completely paranoid, but if something looks out of whack and it looks weird, it is.”

Click here to read some more tips to protect against spearphishing from the FBI.

Lee Ferran is an Emmy Award-winning investigative journalist and the founder of Code and Dagger, a foreign affairs and national security news website.

The InsideHook Newsletter.

News, advice and insights for the most interesting person in the room.