The Syrian Electronic Army is on quite the tear lately.  As reported, the latest attacks hijacked the New York Times, Huffington Post and Twitter, but they’ve also come after the Washington Post, CNN, and others in recent news.  Their website was taken offline by an “internet body” today, most likely in response to their most recent activities, but they promise they will be back shortly.

A lot of people know about Anonymous, but many are wondering who the Syrian Electronic Army actually is.  They are a group of motivated hackers that are pro-Assad and their purpose is pure hacktivism.  They do not seem to care to show their technical prowess in their exploits.  They want their message out and are willing to use whatever tactics are available to do just that, especially in the light of the world news events of the day.  This was evident in the latest attacks, as it seems the method through which the Melbourne IT domain name registrar was compromised was through a phishing email.  In this case it would have had to be classified as a spear-phishing email where a specific party with specific access was socially engineered or tricked into either loading some type of malware or turning over credentials.  From there the third party attack could take place, DNS records were changed and the rest is an embarrassing piece of history.  Some call the group mysterious, some say their motives are not exactly clear, and many have tried to compile a definitive profile of what this group is.  A few months ago, a team of researchers at HP security put out the most comprehensive dive into SEA.

The entire post titled “Understanding the Syrian Electronic Army (SEA)” covers information about the group in detail, so I’m making a cribs notes version.  There are a number of interesting facets dug up from the research into this organization as it appears that there is certainly an extreme amount of alignment with the Syrian government:

Web Presence

The SEA has a significant web presence.  The group uses their website to coordinate group membership and report on operations that have been carried out. The SEA runs two leak sites where they dump information from various hacks.  One is included on their primary website and the second separate site discloses leaks related to Qatar. The primary leak site was launched January 23, 2013.

In the past several months sites registered by the SEA have been seized by the U.S. government due to sanctions against Syria.

 Android Application

The SEA has created an Android application for their members.  The application is simply a viewer for the stories the SEA posts on their website. There are no Arabic/English language options for the application.  The application itself is in English, but the articles are in Arabic.  It functions as little more than its own RSS reader.

As with all applications from a source such as this, HPSR recommends organizations block this application.  The application is not available in the Google Play Store and must be downloaded from (EDITED)

The fact that they created an app is a very interesting sign that they are ambitious and certainly organized enough to launch and distribute such a thing.  The application however apparently remains in a broken state because the underlying domains have changed.

Social Media Presence

Similar to many other hacktivist groups, the SEA has widely leveraged social media to communicate with members as well as the general public.  The primary communication channel for the SEA has been Twitter. Many of their tweets are related to postings on their website regarding completed operations.

Perhaps the most notorious of all the SEA’s exploits was an incident back in April of this year where the Twitter account for the Associated Press was hacked.  The group sent out a fake tweet that there were two bombings at the White House and the Dow Jones Industrial average took a short-lived 150-point dip.  The incident prompted a rapid response from the White House, upon which the market corrected itself. 

The SEA has engaged in a number of malicious tactics, including setting up fake social media profiles at sites like Facebook and Youtube.  The object is to collect credentials and spread malware.  As reported, this latest attack was a spear-phish method.  They have created targeted malware attacks, one of which was disguised as an encrypted Skype program.  They have also been responsible for a limited number of DDOS attacks, this is attributed to the fact that they are spreading propaganda as opposed to protest.  That’s exactly what the SEA is best known for – Defacing sites and getting their messages spread through these defacements, through social media, through social media that they hack.

The SEA basically wants attention and ways to spread their pro-Assad messages and they are willing to employ any and all methods of hacking available to them to accomplish that.  The Hewlett Packard Security Research team recommends that if you are in the media, you are a target and you should be vigilant in your security practices.  That means monitoring, it means enforcing strong passwords, it means looking out for signs of compromise, and that’s just to start.  In this case, the crafty compromise through the domain registrar means third-party groups like that need to be on the lookout as well.  When you reflect on the temporary but significant impact that was exhibited in the AP twitter hack, it brings to mind the very electronic assault situation that could exploit our automated and sensitive critical systems that could not only be financial, but it could impact core infrastructures as well.