Feeds

Syrian Electronic Army no longer just Twitter feed jackers... and that's bad news

Hackers now target VoIP apps, directories, spewing Trojans as they go - infosec bods

5 things you didn’t know about cloud backup

The Syrian Electronic Army is starting to pose a serious risk to enemies of the Assad regime in both Syria and further afield, according to security watchers.

Reports that the SEA managed to take over three personal email accounts of White House employees remain unconfirmed. However, recent worrying attacks on VoIP apps Viber and Tango mean that officials and security researchers need to keep a closer eye on the group, argues anti-malware tools firm FireEye.

The security company warns that in graduating from compromising the Twitter feeds of various media outlets – albeit with costly consequences – to attacking VoIP apps, the group has emerged as a much more serious threat.

"Successful attacks on international communications sites such as TrueCaller, Tango, and Viber could give Syrian intelligence access to the communications of millions of people," FireEye's Ayed Alqartah, systems engineer - Middle East and Africa warns: "Such attacks can also put human beings in real danger through espionage, intimidation, and/or arrest."

Who are the Syrian Electronic Army?

The SEA is a prolific hacker crew loyal to Syrian President Bashar al-Assad that sprung into life in mid-2011. Its antics since have included DDoS attacks, phishing against social media profiles and pro-Assad defacements. The group has targeted governments, online services and media that are perceived to be hostile to the Syrian government.

Its defacements and Twitter account hijackings are often carried out to push propaganda messages ranging from shock videos of alleged jihadist atrocities to (more recently) satirical cartoons.

The SEA has successfully targeted Twitter accounts and other social media profiles run by Al-Jazeera, the Associated Press, BBC, Daily Telegraph, Financial Times, The Guardian, Human Rights Watch, America's National Public Radio, and more.

The group's infamous hijack of AP's eponymous Twitter account, spreading a false rumour that the White House had been bombed and President Obama injured, briefly wiped billions of dollars off the stock market.

Over the last two weeks alone, the SEA has recently compromised three widely used online communications websites, each of which could have serious real-world consequences for Syria’s political opposition.

The SEA hacked the Swedish site Truecaller, home to the world's largest online telephone directory with over a billion phone numbers in over 100 countries, on 16 July. FireEye said the attack was pulled off using a vulnerable version of WordPress. After the attack, hacktivists boasted they had snatched access codes to more than a million Facebook, Twitter, LinkedIn and Gmail accounts.

Less than a week later, the SEA followed up with a successful hack against video and text messaging service Tango on 21 July, stealing more than 1.5 TB of user information, names, phone numbers, emails, and personal contacts for millions of accounts. Once again, a vulnerable version of Wordpress (version 3.2.1), allowed hackers affiliated with the SEA to lift confidential information from a database server.

The trifecta of serious hacks was completed on 24 July when the SEA hacked Viber, a free online calling and messaging application used by more than 200 million users in 193 countries. Viber acknowledged but played down the significance of the attack, which it said had been pulled off using a phishing scam that gave the SEA access to Viber's customer support site. The VoIP provider has denied any private user information was compromised.

FireEye's Ayed Alqartah argues that although the scope and number of assaults distinguishes the SEA from other patriotic hacking groups, it shares some similarities.

"The SEA, just like other 'patriotic hackers' around the world, is proving that a small group of expert hackers can be a force on the international stage," Alqartah writes. "SEA pays no attention to traditional international borders, attacking both Syrians and non-Syrians, inside Syria and in many other countries."

The SEA's make up or exact relationship to the Syrian government is unclear, however the domain name for the SEA's website was registered by the Syrian Computer Society, which was previously led by President Bashar Assad. The group has targeted domestic dissidents and as well as foreign enemies of the Assad regime.

The hacktivists often send socially-engineered spear-phishing emails to lure opposition activists into opening fraudulent, malware-laden documents, says FireEye. Targeted Facebook users have also been tricked into giving up their login information.

The security researchers say the group has also been linked to the use of Trojans such as Blackshades, DarkComet, Fynloski, Rbot, Xtreme RAT, and Zapchast, which have all been deployed against dissidents in Syria to steal documents and passwords, install keylogging software onto computers and otherwise spy on targets.

Alqartah speculates that the depth and diversity of the hacking crew's activities make it likely that it has the support of many civilian volunteers.

"The SEA’s ability to operate within the same online spaces that are typically dominated by young, tech-savvy internet users has been key to its success," he said. "And to some degree, as in other 'patriotic hacker' conflicts, the ambiguous nature of their relationship gives the Syrian government some protection from the legal and political consequences of SEA’s attacks."

A blog post on the SEA by Alqartah and Kenneth Geers, a senior global threat analyst at FireEye, can be found here. ®

Secure remote control for conventional and virtual desktops

More from The Register

next story
Ice cream headache as black hat hacks sack Dairy Queen
I scream, you scream, we all scream 'DATA BREACH'!
Goog says patch⁵⁰ your Chrome
64-bit browser loads cat vids FIFTEEN PERCENT faster!
NIST to sysadmins: clean up your SSH mess
Too many keys, too badly managed
JLaw, Kate Upton exposed in celeb nude pics hack
100 women victimised as Apple iCloud accounts reportedly popped
Scratched PC-dispatch patch patched, hatched in batch rematch
Windows security update fixed after triggering blue screens (and screams) of death
Researchers camouflage haxxor traps with fake application traffic
Honeypots sweetened to resemble actual workloads, complete with 'secure' logins
Attack flogged through shiny-clicky social media buttons
66,000 users popped by malicious Flash fudging add-on
New Snowden leak: How NSA shared 850-billion-plus metadata records
'Federated search' spaffed info all over Five Eyes chums
Three quarters of South Korea popped in online gaming raids
Records used to plunder game items, sold off to low lifes
Oz fed police in PDF redaction SNAFU
Give us your metadata, we'll publish your data
prev story

Whitepapers

Endpoint data privacy in the cloud is easier than you think
Innovations in encryption and storage resolve issues of data privacy and key requirements for companies to look for in a solution.
Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Advanced data protection for your virtualized environments
Find a natural fit for optimizing protection for the often resource-constrained data protection process found in virtual environments.
Boost IT visibility and business value
How building a great service catalog relieves pressure points and demonstrates the value of IT service management.
Next gen security for virtualised datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.