Feeds

Syrian Electronic Army no longer just Twitter feed jackers... and that's bad news

Hackers now target VoIP apps, directories, spewing Trojans as they go - infosec bods

3 Big data security analytics techniques

The Syrian Electronic Army is starting to pose a serious risk to enemies of the Assad regime in both Syria and further afield, according to security watchers.

Reports that the SEA managed to take over three personal email accounts of White House employees remain unconfirmed. However, recent worrying attacks on VoIP apps Viber and Tango mean that officials and security researchers need to keep a closer eye on the group, argues anti-malware tools firm FireEye.

The security company warns that in graduating from compromising the Twitter feeds of various media outlets – albeit with costly consequences – to attacking VoIP apps, the group has emerged as a much more serious threat.

"Successful attacks on international communications sites such as TrueCaller, Tango, and Viber could give Syrian intelligence access to the communications of millions of people," FireEye's Ayed Alqartah, systems engineer - Middle East and Africa warns: "Such attacks can also put human beings in real danger through espionage, intimidation, and/or arrest."

Who are the Syrian Electronic Army?

The SEA is a prolific hacker crew loyal to Syrian President Bashar al-Assad that sprung into life in mid-2011. Its antics since have included DDoS attacks, phishing against social media profiles and pro-Assad defacements. The group has targeted governments, online services and media that are perceived to be hostile to the Syrian government.

Its defacements and Twitter account hijackings are often carried out to push propaganda messages ranging from shock videos of alleged jihadist atrocities to (more recently) satirical cartoons.

The SEA has successfully targeted Twitter accounts and other social media profiles run by Al-Jazeera, the Associated Press, BBC, Daily Telegraph, Financial Times, The Guardian, Human Rights Watch, America's National Public Radio, and more.

The group's infamous hijack of AP's eponymous Twitter account, spreading a false rumour that the White House had been bombed and President Obama injured, briefly wiped billions of dollars off the stock market.

Over the last two weeks alone, the SEA has recently compromised three widely used online communications websites, each of which could have serious real-world consequences for Syria’s political opposition.

The SEA hacked the Swedish site Truecaller, home to the world's largest online telephone directory with over a billion phone numbers in over 100 countries, on 16 July. FireEye said the attack was pulled off using a vulnerable version of WordPress. After the attack, hacktivists boasted they had snatched access codes to more than a million Facebook, Twitter, LinkedIn and Gmail accounts.

Less than a week later, the SEA followed up with a successful hack against video and text messaging service Tango on 21 July, stealing more than 1.5 TB of user information, names, phone numbers, emails, and personal contacts for millions of accounts. Once again, a vulnerable version of Wordpress (version 3.2.1), allowed hackers affiliated with the SEA to lift confidential information from a database server.

The trifecta of serious hacks was completed on 24 July when the SEA hacked Viber, a free online calling and messaging application used by more than 200 million users in 193 countries. Viber acknowledged but played down the significance of the attack, which it said had been pulled off using a phishing scam that gave the SEA access to Viber's customer support site. The VoIP provider has denied any private user information was compromised.

FireEye's Ayed Alqartah argues that although the scope and number of assaults distinguishes the SEA from other patriotic hacking groups, it shares some similarities.

"The SEA, just like other 'patriotic hackers' around the world, is proving that a small group of expert hackers can be a force on the international stage," Alqartah writes. "SEA pays no attention to traditional international borders, attacking both Syrians and non-Syrians, inside Syria and in many other countries."

The SEA's make up or exact relationship to the Syrian government is unclear, however the domain name for the SEA's website was registered by the Syrian Computer Society, which was previously led by President Bashar Assad. The group has targeted domestic dissidents and as well as foreign enemies of the Assad regime.

The hacktivists often send socially-engineered spear-phishing emails to lure opposition activists into opening fraudulent, malware-laden documents, says FireEye. Targeted Facebook users have also been tricked into giving up their login information.

The security researchers say the group has also been linked to the use of Trojans such as Blackshades, DarkComet, Fynloski, Rbot, Xtreme RAT, and Zapchast, which have all been deployed against dissidents in Syria to steal documents and passwords, install keylogging software onto computers and otherwise spy on targets.

Alqartah speculates that the depth and diversity of the hacking crew's activities make it likely that it has the support of many civilian volunteers.

"The SEA’s ability to operate within the same online spaces that are typically dominated by young, tech-savvy internet users has been key to its success," he said. "And to some degree, as in other 'patriotic hacker' conflicts, the ambiguous nature of their relationship gives the Syrian government some protection from the legal and political consequences of SEA’s attacks."

A blog post on the SEA by Alqartah and Kenneth Geers, a senior global threat analyst at FireEye, can be found here. ®

3 Big data security analytics techniques

More from The Register

next story
Obama allows NSA to exploit 0-days: report
If the spooks say they need it, they get it
Samsung Galaxy S5 fingerprint scanner hacked in just 4 DAYS
Sammy's newbie cooked slower than iPhone, also costs more to build
Putin tells Snowden: Russia conducts no US-style mass surveillance
Gov't is too broke for that, Russian prez says
Snowden-inspired crypto-email service Lavaboom launches
German service pays tribute to Lavabit
Mounties always get their man: Heartbleed 'hacker', 19, CUFFED
Canadian teen accused of raiding tax computers using OpenSSL bug
One year on: diplomatic fail as Chinese APT gangs get back to work
Mandiant says past 12 months shows Beijing won't call off its hackers
Call of Duty 'fragged using OpenSSL's Heartbleed exploit'
So it begins ... or maybe not, says one analyst
prev story

Whitepapers

Securing web applications made simple and scalable
In this whitepaper learn how automated security testing can provide a simple and scalable way to protect your web applications.
3 Big data security analytics techniques
Applying these Big Data security analytics techniques can help you make your business safer by detecting attacks early, before significant damage is done.
The benefits of software based PBX
Why you should break free from your proprietary PBX and how to leverage your existing server hardware.
Top three mobile application threats
Learn about three of the top mobile application security threats facing businesses today and recommendations on how to mitigate the risk.
Combat fraud and increase customer satisfaction
Based on their experience using HP ArcSight Enterprise Security Manager for IT security operations, Finansbank moved to HP ArcSight ESM for fraud management.