The pro-Syrian cyberhackers behind the recent attacks on major media outlets’ Twitter accounts claim to be members of a grass-roots organization defending the honor of the nation, but are likely nothing more than government-backed cyberwarriors, some researchers say.
The hacks by the Syrian Electronic Army (SEA) on Twitter reflect an intensifying effort in recent weeks to disseminate pro-Syrian propaganda and attack Syria’s perceived enemies in the media. The emphasis marks an apparent shift for the group, which previously had focused more on attacking and defacing websites and Facebook pages of members of Syria’s opposition and others they perceived as anti-Syrian, according to close observers of the group.
The most recent attack came Monday, with the SEA hacking into several Twitter accounts belonging to the British newspaper, The Guardian.
Shortly after, Twitter warned news organization in an e-mail that their accounts could be vulnerable. Twitter has been shutting down the latest versions of the official SEA Twitter channel (the group was on its 12th) as fast as the San Francisco-based company can find them.
Citing “several recent incidents of high-profile news and media Twitter handles being compromised,” the company wrote that: “We believe that these attacks will continue, and that news and media organizations will continue to be high value targets to hackers.”
Twitter hack victims have so far included CBS, NPR, and the BBC. Previously hacked organizations included Human Rights Watch, Reuters, Sky News Arabia, and even the FIFA World Cup organization. The AP and BBC both reported that “phishing” e-mails were sent to their staff about the same time accounts got hacked.
But the biggest “twit-hit” was on April 25, when the official Twitter account of the Associated Press was hijacked and used to tweet a hoax that the White House had been hit by bombs and President Obama injured. The US stock market immediately plummeted 145 points, the fake news erasing an estimated $200 billion in market value – at least for a few minutes – before it rebounded.
What’s behind the Twitter hacks is a bald effort to win attention for Syria’s cause and to attack the nation’s perceived enemies in the media, several close observers say.
Some researchers who have been tracking the SEA for years say the group appears to have at least “tacit support” from Syrian President Bashar al-Assad. Others argue the group is operated out of Dubai by deep-pocketed supporters of the Syrian regime. Still others say the connection with the Assad regime is quite direct.
“The SEA definitely has a close relationship with the regime,” says Amjad Baiazy, an independent cyber-researcher in London who was held in detention by the regime in 2011. “I can’t say if they are also supported by certain individuals, but I can say they are funded by the regime. There are also strong indications that members of the group are trained by Iranian [information technology] experts.”
The fact that the group’s website is hosted on the national Syrian network, where local web hosting is highly politicized, indicates at the very least “tacit support” from the Assad regime, according to Helmi Noman, a senior researcher with Citizen Lab, a cyber-research center at the University of Toronto.
Such “local hosting of sensitive content indicates state approval or at least tolerance of the content and the people behind the content,” Mr. Noman writes in an e-mail interview. Even so, “I do not have information that suggests that the SEA is a Syrian state operation, but the tacit support which we have documented can potentially amount to sponsorship.”
It is significant, as well, that President Assad thanked the group in a major televised speech in 2011, which Noman calls “a prerequisite political blessing without which such a group with questionable activities cannot operate.”
In that speech to Damascus University, Assad likened online cyberwarriors to his best troops: "The army consists of the brothers of every Syrian citizen,” he said. “Young people have an important role to play at this stage, because they have proven themselves to be an active power. There is the electronic army, which has been a real army in virtual reality."
When the domain names of the SEA were seized last month by US authorities, the SEA survived the interruption by launching a new country code top-level domain name – sea.sy – for its website, Noman writes. Doing so, “implies that the national agency in charge of domain name registration does not find the SEA's hacking and compromising activities objectionable,” he notes.
Still, the SEA has steadfastly denied on its website any links to the Syrian regime, portraying itself as just a group of self-organized volunteers.
“We are a group of enthusiastic Syrian youths who could not stay passive towards the massive distortion of facts about the recent uprising in Syria, and this distortion is carried out by many Facebook pages that deliberately work to spread hatred and sectarian intolerance between the peoples of Syria to fuel the uprising,” the group’s description says on its website.
Distancing itself is not surprising, the researchers say.
“The state needs this distance so that it cannot be held legally, politically, or even financially responsible for the SEA's activities,” Noman writes. “On the other hand, I won't be surprised if the Syrian institutions at some point defend their support [for] the SEA, arguing that their activities come in the context of a legitimate cyberwar. In fact, that is how the local media is portraying them in its celebratory reports which I have been looking at.”
The SEA has shifted from defacing political and mostly apolitical websites to targeting the media, which it perceives as hostile to the Syrian regime. The SEA, for instance, has not targeted "friendly" Russian or Iranian media, observers say. The group also likes media attention, and compromising the online presence of media outlets amplifies their exposure to the media, they agree.
“Basically they want to become famous to tell their story to the international community,” says Mr. Baiazy. “To do this, they have to catch attention. So they target, for example, the Twitter account for Reuters. Believe it or not, they actually are trying to leave a positive impression about Syria.”
Baiazy, who was imprisoned in Syria in 2011 and interrogated about his online activities, says those questioning him were very young and barely computer literate. If so, it remain a question about the far more sophisticated actors also said to be part of the Syrian Electronic Army, which has been systematically and clandestinely luring opposition sympathizers with tainted video links in e-mail, fake Skype encryption tools, and tainted online documents.
Those hackers believed to be allied to Syria's government have deployed a fairly sophisticated array of powerful spyware with names like DarkComet, backdoor.bruet, and Blackshades. Available on the Internet, these malware are used to infiltrate the personal computers of opposition figures and rights activists and send back information on their friends and contacts as well as passwords, cybersecurity experts say.
Also of note, The Guardian reports that defectors from inside the SEA claim many in the organization moved last year from Damascus to a secret base in Dubai funded by Assad's billionaire cousin, Rami Makhlouf, who controls it.
Pro-Assad activists are said to receive $500 to $1,000 for attacks on major Western targets – a huge sum for most Syrians, The Guardian reported.