Feeds

Syrian Electronic Army no longer just Twitter feed jackers... and that's bad news

Hackers now target VoIP apps, directories, spewing Trojans as they go - infosec bods

Beginner's guide to SSL certificates

The Syrian Electronic Army is starting to pose a serious risk to enemies of the Assad regime in both Syria and further afield, according to security watchers.

Reports that the SEA managed to take over three personal email accounts of White House employees remain unconfirmed. However, recent worrying attacks on VoIP apps Viber and Tango mean that officials and security researchers need to keep a closer eye on the group, argues anti-malware tools firm FireEye.

The security company warns that in graduating from compromising the Twitter feeds of various media outlets – albeit with costly consequences – to attacking VoIP apps, the group has emerged as a much more serious threat.

"Successful attacks on international communications sites such as TrueCaller, Tango, and Viber could give Syrian intelligence access to the communications of millions of people," FireEye's Ayed Alqartah, systems engineer - Middle East and Africa warns: "Such attacks can also put human beings in real danger through espionage, intimidation, and/or arrest."

Who are the Syrian Electronic Army?

The SEA is a prolific hacker crew loyal to Syrian President Bashar al-Assad that sprung into life in mid-2011. Its antics since have included DDoS attacks, phishing against social media profiles and pro-Assad defacements. The group has targeted governments, online services and media that are perceived to be hostile to the Syrian government.

Its defacements and Twitter account hijackings are often carried out to push propaganda messages ranging from shock videos of alleged jihadist atrocities to (more recently) satirical cartoons.

The SEA has successfully targeted Twitter accounts and other social media profiles run by Al-Jazeera, the Associated Press, BBC, Daily Telegraph, Financial Times, The Guardian, Human Rights Watch, America's National Public Radio, and more.

The group's infamous hijack of AP's eponymous Twitter account, spreading a false rumour that the White House had been bombed and President Obama injured, briefly wiped billions of dollars off the stock market.

Over the last two weeks alone, the SEA has recently compromised three widely used online communications websites, each of which could have serious real-world consequences for Syria’s political opposition.

The SEA hacked the Swedish site Truecaller, home to the world's largest online telephone directory with over a billion phone numbers in over 100 countries, on 16 July. FireEye said the attack was pulled off using a vulnerable version of WordPress. After the attack, hacktivists boasted they had snatched access codes to more than a million Facebook, Twitter, LinkedIn and Gmail accounts.

Less than a week later, the SEA followed up with a successful hack against video and text messaging service Tango on 21 July, stealing more than 1.5 TB of user information, names, phone numbers, emails, and personal contacts for millions of accounts. Once again, a vulnerable version of Wordpress (version 3.2.1), allowed hackers affiliated with the SEA to lift confidential information from a database server.

The trifecta of serious hacks was completed on 24 July when the SEA hacked Viber, a free online calling and messaging application used by more than 200 million users in 193 countries. Viber acknowledged but played down the significance of the attack, which it said had been pulled off using a phishing scam that gave the SEA access to Viber's customer support site. The VoIP provider has denied any private user information was compromised.

FireEye's Ayed Alqartah argues that although the scope and number of assaults distinguishes the SEA from other patriotic hacking groups, it shares some similarities.

"The SEA, just like other 'patriotic hackers' around the world, is proving that a small group of expert hackers can be a force on the international stage," Alqartah writes. "SEA pays no attention to traditional international borders, attacking both Syrians and non-Syrians, inside Syria and in many other countries."

The SEA's make up or exact relationship to the Syrian government is unclear, however the domain name for the SEA's website was registered by the Syrian Computer Society, which was previously led by President Bashar Assad. The group has targeted domestic dissidents and as well as foreign enemies of the Assad regime.

The hacktivists often send socially-engineered spear-phishing emails to lure opposition activists into opening fraudulent, malware-laden documents, says FireEye. Targeted Facebook users have also been tricked into giving up their login information.

The security researchers say the group has also been linked to the use of Trojans such as Blackshades, DarkComet, Fynloski, Rbot, Xtreme RAT, and Zapchast, which have all been deployed against dissidents in Syria to steal documents and passwords, install keylogging software onto computers and otherwise spy on targets.

Alqartah speculates that the depth and diversity of the hacking crew's activities make it likely that it has the support of many civilian volunteers.

"The SEA’s ability to operate within the same online spaces that are typically dominated by young, tech-savvy internet users has been key to its success," he said. "And to some degree, as in other 'patriotic hacker' conflicts, the ambiguous nature of their relationship gives the Syrian government some protection from the legal and political consequences of SEA’s attacks."

A blog post on the SEA by Alqartah and Kenneth Geers, a senior global threat analyst at FireEye, can be found here. ®

Choosing a cloud hosting partner with confidence

More from The Register

next story
SMASH the Bash bug! Apple and Red Hat scramble for patch batches
'Applying multiple security updates is extremely difficult'
Apple's new iPhone 6 vulnerable to last year's TouchID fingerprint hack
But unsophisticated thieves need not attempt this trick
Oracle SHELLSHOCKER - data titan lists unpatchables
Database kingpin lists 32 products that can't be patched (yet) as GNU fixes second vuln
Who.is does the Harlem Shake
Blame it on LOLing XSS terroristas
Researchers tell black hats: 'YOU'RE SOOO PREDICTABLE'
Want to register that domain? We're way ahead of you.
Stunned by Shellshock Bash bug? Patch all you can – or be punished
UK data watchdog rolls up its sleeves, polishes truncheon
Ello? ello? ello?: Facebook challenger in DDoS KNOCKOUT
Gets back up again after half an hour though
Desperate VXers enslave FREEZERS in DDoS bot
Updated Spike malware targets Asia
Heatmiser digital thermostat users: For pity's sake, DON'T SWITCH ON the WI-FI
A stranger turns up YOUR heat with default password 1234
prev story

Whitepapers

Providing a secure and efficient Helpdesk
A single remote control platform for user support is be key to providing an efficient helpdesk. Retain full control over the way in which screen and keystroke data is transmitted.
Intelligent flash storage arrays
Tegile Intelligent Storage Arrays with IntelliFlash helps IT boost storage utilization and effciency while delivering unmatched storage savings and performance.
Beginner's guide to SSL certificates
De-mystify the technology involved and give you the information you need to make the best decision when considering your online security options.
Security for virtualized datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.
Secure remote control for conventional and virtual desktops
Balancing user privacy and privileged access, in accordance with compliance frameworks and legislation. Evaluating any potential remote control choice.