Hunting for Syrian hackers’ chain of command

It’s the question of the moment inside the murky realm of cybersecurity: Just who, or what, is the Syrian Electronic Army?
The hacking group that calls itself the SEA struck again Friday, this time breaking into the Twitter accounts and blog headlines of the Financial Times. The attack was part of a crusade that has targeted dozens of media outlets as varied as the Associated Press and The Onion, the parody news site.
But just who is behind the SEA’s cyber-vandalism remains a mystery. Paralleling the group’s boisterous, pro-Syrian government activity has been a much quieter internet surveillance campaign aimed at revealing the identities, activities and whereabouts of the Syrian rebels fighting the government of President Bashar Assad.
Now sleuths are trying to figure out how much overlap there is between the rowdy pranks playing out on Twitter and the silent spying that also increasingly includes the monitoring of foreign aid workers. It’s a high-stakes search. If researchers prove the Assad regime is closely tied to the group, foreign governments may choose to respond because the attacks have real-world consequences. The SEA nearly crashed the stock market, for example, by planting false tales of White House explosions in a recent hijacking of the AP’s Twitter feed.
The mystery is made more curious by the belief among researchers that the hackers currently parading as the SEA are not the same people who started the pro-Assad campaign two years ago.
Experts say the Assad regime benefits from the ambiguity. “They have created extra space between themselves and international law and international opinion,” said James A. Lewis, a security expert with the Centre for Strategic and International Studies.
BEGINNINGS DURING THE 2011 UPRISINGS
The SEA emerged during the Syrian uprisings in May 2011, they said, to offer a pro-Assad counternarrative to news coming out of Syria. In speeches, Assad likened the SEA to the government’s own online security corps, referring to the group as “a real army in a virtual reality.”
In its early incarnation, researchers said, the SEA had a clearly defined hierarchy, with leaders, technical experts, a media arm and hundreds of volunteers. Several early members belonged to the Syrian Computer Society, a technical organization run by Assad before he became president. Until last month, digital records suggest, the Syrian Computer Society still ran much of the SEA’s infrastructure. In April, a raid of SEA web domains revealed that the majority were still registered to the society.
SEA members initially created pro-Assad Facebook pages and spammed popular pages like President Barack Obama’s and Oprah Winfrey’s with pro-Syrian comments. But by fall 2011, SEA activities had become more premeditated. They defaced prominent websites like Harvard University’s with pro-Assad messages, in an attack a spokesman characterised as sophisticated.
At some point, the SEA’s key players disappeared and a second crop of hackers took over. The current group consists of roughly a dozen new actors led by hackers who call themselves “Th3 Pr0” and “The Shadow” and function more like Anonymous, the loose hacking collective, than a state-sponsored brigade. In interviews, people who now identify as the SEA insist they operate independently from the Assad regime. But researchers who have been following the group’s digital trail aren’t convinced.
“The opportunity for collaboration between the SEA and regime is clear, but what is missing is proof,” said Jacob West, a chief technology officer at Hewlett-Packard. As governments consider stronger responses to malicious cyberactivity, West said, “the motivation for Syria to maintain plausible deniability is very, very real.”
SURVEILLING DISSIDENTS
Long before the SEA’s apparent changing of the guard, security researchers unearthed a stealthier surveillance campaign targeting Syrian dissidents that has since grown to include foreign aid workers. Morgan Marquis-Boire, a researcher at the Citizen Lab at the University of Toronto, uncovered spyware with names like “Dark Comet” and “BlackShades” sending information back to Syria’s Ministry of Communications. The software, which tracked a target’s location, read emails and logged keystrokes, disguised itself as an encryption service for Skype, a program used by many Syrian activists.
Marquis-Boire has uncovered more than 200 IP addresses running the spyware. Some were among the few kept online last week during an internet disruption in Syria that the government blamed on a “technical malfunction,” but experts described as a systematic government shutdown.
SEA members deny spying on Syrian civilians. “We didn’t do that and we will not,” the hacker who identifies himself as Th3 Pr0 wrote in an email. “Our targets are known,” he wrote, referring to its public Twitter attacks. Researchers have tracked several of those attacks, including that on The Onion and another against Human Rights Watch in March, to a server in Russia, which they believe is redirecting attacks from Syria. Last weekend, researchers traced one attack back to a Syrian IP address registered to Syriatel, a telecommunications company owned by Rami Makhlouf, Assad’s first cousin.
Dissidents say that connection is proof the SEA is backed by the Assad regime, and claim the Twitter attacks are just the outward-facing component of a deeper surveillance campaign.
“There is no doubt they are the same,” said Dlshad Othman, a Syrian in Washington who helps dissidents get rid of the spyware.
The smoking gun, Othman and others say, was an SEA attack last year on Burhan Ghalioun, a Syrian opposition leader. Shortly after Ghalioun’s Facebook page was hacked, it began serving spyware to fans. Ghalioun’s emails also showed up on an SEA leak site.
The other potential link, they say, is a list of opposition leaders that surfaced in July, after SEA members boasted they could help the regime quickly search for the names of opponents. Othman said the boasts were proof the SEA worked with the regime and kept tabs on dissidents.
Ironically, that opposition search most likely led to the SEA’s internal shake-up. Activists say encryption on the document was cracked, and in July it popped up on Pastebin, a website for anonymous postings.
“There was a view that the government blamed the SEA for the leak,” said John Scott-Railton, a Citizen Lab research fellow.
In the days that followed, Facebook accounts for known SEA members went dark. SEA aliases that researchers had been tracking suddenly vanished. New members with different monikers assumed the group’s name. Researchers say the hackers behind the recent spate of Twitter hacks are far less organized.
Outside Syria, the Twitter attacks made people take note of the SEA. But inside Syria, they barely registered. Dissidents there are more concerned with the mounting spyware infections and imprisonments. And researchers have seen the spyware tracking a new target: aid workers.
“The Syrian opposition are quite paranoid and aware of the stakes,” Marquis-Boire said. “But then you get foreign aid workers who show up to do good work, but are not as paranoid about their operational security.”
“It’s a smart move if you think about it,” he added