It’s the question of the moment inside the murky realm of cybersecurity: Just who, or what, is the Syrian Electronic Army?
The hacking group that calls itself the SEA struck again Friday, this
time breaking into the Twitter accounts and blog headlines of the
Financial Times. The attack was part of a crusade that has targeted
dozens of media outlets as varied as the Associated Press and The Onion,
the parody news site.
But just who is behind the SEA’s cyber-vandalism remains a mystery.
Paralleling the group’s boisterous, pro-Syrian government activity has
been a much quieter internet surveillance campaign aimed at revealing
the identities, activities and whereabouts of the Syrian rebels fighting
the government of President Bashar Assad.
Now sleuths are trying to figure out how much overlap there is
between the rowdy pranks playing out on Twitter and the silent spying
that also increasingly includes the monitoring of foreign aid workers.
It’s a high-stakes search. If researchers prove the Assad regime is
closely tied to the group, foreign governments may choose to respond
because the attacks have real-world consequences. The SEA nearly crashed
the stock market, for example, by planting false tales of White House
explosions in a recent hijacking of the AP’s Twitter feed.
The mystery is made more curious by the belief among researchers that
the hackers currently parading as the SEA are not the same people who
started the pro-Assad campaign two years ago.
Experts say the Assad regime benefits from the ambiguity. “They have
created extra space between themselves and international law and
international opinion,” said James A. Lewis, a security expert with the
Centre for Strategic and International Studies.
BEGINNINGS DURING THE 2011 UPRISINGS
The SEA emerged during the Syrian uprisings in May 2011, they said,
to offer a pro-Assad counternarrative to news coming out of Syria. In
speeches, Assad likened the SEA to the government’s own online security
corps, referring to the group as “a real army in a virtual reality.”
In its early incarnation, researchers said, the SEA had a clearly
defined hierarchy, with leaders, technical experts, a media arm and
hundreds of volunteers. Several early members belonged to the Syrian
Computer Society, a technical organization run by Assad before he became
president. Until last month, digital records suggest, the Syrian
Computer Society still ran much of the SEA’s infrastructure. In April, a
raid of SEA web domains revealed that the majority were still
registered to the society.
SEA members initially created pro-Assad Facebook pages and spammed
popular pages like President Barack Obama’s and Oprah Winfrey’s with
pro-Syrian comments. But by fall 2011, SEA activities had become more
premeditated. They defaced prominent websites like Harvard University’s
with pro-Assad messages, in an attack a spokesman characterised as
sophisticated.
At some point, the SEA’s key players disappeared and a second crop of
hackers took over. The current group consists of roughly a dozen new
actors led by hackers who call themselves “Th3 Pr0” and “The Shadow” and
function more like Anonymous, the loose hacking collective, than a
state-sponsored brigade. In interviews, people who now identify as the
SEA insist they operate independently from the Assad regime. But
researchers who have been following the group’s digital trail aren’t
convinced.
“The opportunity for collaboration between the SEA and regime is
clear, but what is missing is proof,” said Jacob West, a chief
technology officer at Hewlett-Packard. As governments consider stronger
responses to malicious cyberactivity, West said, “the motivation for
Syria to maintain plausible deniability is very, very real.”
SURVEILLING DISSIDENTS
Long before the SEA’s apparent changing of the guard, security
researchers unearthed a stealthier surveillance campaign targeting
Syrian dissidents that has since grown to include foreign aid workers.
Morgan Marquis-Boire, a researcher at the Citizen Lab at the University
of Toronto, uncovered spyware with names like “Dark Comet” and
“BlackShades” sending information back to Syria’s Ministry of
Communications. The software, which tracked a target’s location, read
emails and logged keystrokes, disguised itself as an encryption service
for Skype, a program used by many Syrian activists.
Marquis-Boire has uncovered more than 200 IP addresses running the
spyware. Some were among the few kept online last week during an
internet disruption in Syria that the government blamed on a “technical
malfunction,” but experts described as a systematic government shutdown.
SEA members deny spying on Syrian civilians. “We didn’t do that and
we will not,” the hacker who identifies himself as Th3 Pr0 wrote in an
email. “Our targets are known,” he wrote, referring to its public
Twitter attacks. Researchers have tracked several of those attacks,
including that on The Onion and another against Human Rights Watch in
March, to a server in Russia, which they believe is redirecting attacks
from Syria. Last weekend, researchers traced one attack back to a Syrian
IP address registered to Syriatel, a telecommunications company owned
by Rami Makhlouf, Assad’s first cousin.
Dissidents say that connection is proof the SEA is backed by the
Assad regime, and claim the Twitter attacks are just the outward-facing
component of a deeper surveillance campaign.
“There is no doubt they are the same,” said Dlshad Othman, a Syrian in Washington who helps dissidents get rid of the spyware.
The smoking gun, Othman and others say, was an SEA attack last year
on Burhan Ghalioun, a Syrian opposition leader. Shortly after Ghalioun’s
Facebook page was hacked, it began serving spyware to fans. Ghalioun’s
emails also showed up on an SEA leak site.
The other potential link, they say, is a list of opposition leaders
that surfaced in July, after SEA members boasted they could help the
regime quickly search for the names of opponents. Othman said the boasts
were proof the SEA worked with the regime and kept tabs on dissidents.
Ironically, that opposition search most likely led to the SEA’s
internal shake-up. Activists say encryption on the document was cracked,
and in July it popped up on Pastebin, a website for anonymous postings.
“There was a view that the government blamed the SEA for the leak,” said John Scott-Railton, a Citizen Lab research fellow.
In the days that followed, Facebook accounts for known SEA members
went dark. SEA aliases that researchers had been tracking suddenly
vanished. New members with different monikers assumed the group’s name.
Researchers say the hackers behind the recent spate of Twitter hacks are
far less organized.
Outside Syria, the Twitter attacks made people take note of the SEA.
But inside Syria, they barely registered. Dissidents there are more
concerned with the mounting spyware infections and imprisonments. And
researchers have seen the spyware tracking a new target: aid workers.
“The Syrian opposition are quite paranoid and aware of the stakes,”
Marquis-Boire said. “But then you get foreign aid workers who show up to
do good work, but are not as paranoid about their operational
security.”
“It’s a smart move if you think about it,” he added
No comments:
Post a Comment