Jump to content

Blog

Shield

Syrian Electronic Army Hacks Major Communications Websites

Syrian Electronic Army (SEA) has recently compromised three widely-used online communications websites, each of which could have serious real-world consequences for Syria’s political opposition.

  • July 16: SEA hacked the Swedish site Truecaller, home to the world’s largest online telephone directory, with over a billion phone numbers in over 100 countries. SEA claimed this attack also gave it access codes to more than a million Facebook, Twitter, LinkedIn, and Gmail accounts. The initial attack vector was an older, vulnerable version of WordPress.
  • July 21: SEA hacked the video and text messaging service Tango, stealing more than 1.5 TB of data, including user information, true names, phone numbers, emails, and personal contacts for millions of accounts. Again, the attack vector was a vulnerable version of WordPress CMS (v 3.2.1), which gave SEA unauthorized access to the database server.
  • July 24: SEA hacked Viber, a free online calling and messaging application used by more than 200 million users in 193 countries. Viber acknowledged the attack, explaining that the initial compromise vector was an email phishing scam which enabled SEA to access two customer support sites. Thus far, the company has denied that private user information was lost.

Impact: why are these SEA attacks important?

  1. SEA, just like other “patriotic hackers” around the world, is proving that a small group of expert hackers can be a force on the international stage.
  2. SEA pays no attention to traditional international borders, attacking both Syrians and non-Syrians, inside Syria and in many other countries.
  3. Successful attacks on international communications sites such as TrueCaller, Tango, and Viber could give Syrian intelligence access to the communications of millions of people.
  4. Such attacks can also put human beings in real danger through espionage, intimidation, and/or arrest.

Background: who is the Syrian Electronic Army?

The Syrian Electronic Army is a prolific hacker group loyal to Syrian President Bashar al-Assad. Its campaign began in mid-2011, and includes DDoS attacks, phishing, pro-Assad defacements and spamming against governments, online services, and media that are perceived hostile to the Syrian government.

To date, SEA has successfully targeted Al-Jazeera, Anonymous, Associated Press (AP), BBC, Daily Telegraph, Financial Times, Guardian, Human Rights Watch, National Public Radio, and more. Its most famous exploit was an announcement via AP’s Twitter account that the White House was bombed and President Obama injured, after which stock markets briefly dipped more than $100 billion dollars.

Screen Shot 2013-07-25 at 4.21.39 PM

SEA’s exact relationship to the Syrian government is unclear. The domain name for its website was registered by the Syrian Computer Society – which was previously led by President Assad. But the depth and breadth of SEA activity hint that it also has the support of many civilian volunteers. In fact, SEA’s ability to operate within the same online spaces that are typically dominated by young, tech-savvy Internet users has been key to its success. And to some degree, as in other “patriotic hacker” conflicts, the ambiguous nature of their relationship gives the Syrian government some protection from the legal and political consequences of SEA’s attacks.

SEA: Phishing for Trojan Horses

SEA’s two primary goals are to improve the Syrian government’s image and to maintain pressure on the Syrian political opposition – both of which may be accomplished through computer network operations. SEA often sends socially-engineered, spear-phishing emails to lure opposition activists into opening fraudulent, weaponized, and malicious documents. In this way, for example, targeted Facebook users have been tricked into giving up their login information.

SEA is believed to have used the following Remote Access Tools (RAT) and Trojan Horse applications in the past: Blackshades, DarkComet, Fynloski, Rbot, Xtreme RAT, and Zapchast.

A successful installation of such malware on a victim’s computer could provide SEA with a wide range of capabilities, including:

  • keystroke logging
  • screenshots
  • eavesdropping by microphone
  • webcam images
  • stolen documents
  • stolen passwords.

And of course, SEA likely sends all of this information to a computer address lying within Syrian government-controlled Internet Protocol (IP) space for intelligence collection and review.

References

Albanesius, Chloe. “Tango Messaging App Targeted by Syrian Electronic Army.” PCMag (23 July 2013).

Ashford, Warwick. “Syrian hacktvists hit second mobile app in a week.” Computer Weekly (24 July 2013).

Fisher, Max & Keller, Jared. “Syria’s Digital Counter-Revolutionaries.” The Atlantic
(31 Aug 2011).

Kastrenakes, Jacob. “Syrian Electronic Army alleges stealing ‘millions’ of phone numbers from chat app Tango.” The Verge (22 July 2013).

Khare, Anupika. “Syrian Electronic Army Hacks Truecaller Database, Gains Access Codes to Social Media Accounts.” iDigital Times (19 July 2013).

Manzoor, Sarfraz. “Slaves to the algorithm: Are stock market math geniuses, or quants, a force for good?” The Sunday Telegraph (25 July, 2013).

“Syrian Electronic Army.” Wikipedia (accessed 25 July, 2013) http://en.wikipedia.org/wiki/Syrian_Electronic_Army.

This entry was posted in Exploits, Targeted Attack, Threat Intelligence, Vulnerabilities and tagged by and . Bookmark the permalink.

About Kenneth Geers

Kenneth Geers (PhD, CISSP) is a Senior Global Threat Analyst at FireEye. Dr. Geers spent twenty years in the U.S. Government, with lengthy tours at NSA, NCIS, and NATO. Kenneth was the first U.S. Representative to the NATO Cooperative Cyber Defence Centre of Excellence in Estonia and is the author of "Strategic Cyber Security", Editor of "The Virtual Battlefield: Perspectives on Cyber Warfare", Technical Expert for the "Tallinn Manual on the International Law Applicable to Cyber Warfare", and author of more than twenty articles and chapters on cyber conflict. Follow him on Twitter @KennethGeers.