"Newly-obtained document," tweeted Matthew Keys, "shows U.S. Army concerned about Syrian Electronic Army." The document is titled Syrian Electronic Army (SEA) Targets Qatar, and was written by the Complex Operational Environment and Threat Integration Directorate (CTID). It uses SEA's DNS attacks on Qatari government websites in October to discuss both the SEA's organization and methods.
"The SEA has, to date, focused on nuisance attacks, including placing pro-Assad propaganda on the Qatar websites or directing visitors to other sites." It is not, says the document, "a monolithic organization, but operates in a decentralized fashion, in a manner similar to insurgent cells."
But although the document describes the attacks as having a 'nuisance' value, it says, "it is not unrealistic to posit more damaging attacks in the future." Nevertheless, the US Army does not perceive the SEA to have major technological capabilities.
"Despite threats that it would be forced to resort to more damaging attacks if provoked by an attack by outside forces [on Syria] there is no evidence the SEA could actually carry out such an attack without help from Syrian allies such as Russia, China or Iran. It is unlikely," it adds, "that any of these countries would entrust any kind of more sophisticated tools or resources to the SEA."
The 'nuisance value' is still damaging since it is likely that "the SEA has the capability to hack into systems that hold credit card and other sensitive information." This type of attack can have "devastating effects on consumer confidence," and "shifts in policies or coverage might cause the SEA to up the digital ante."
The document goes on to describe how the Qatar attacks (and others) were effected. "A hacker first uses blogs, social network sites, websites, etc. to find email addresses of people within an organization. Using that information, the hacker sends an email to the address with a downloadable file, acting as a Trojan horse, that contains an embedded remote access tool (RAT). Once the email recipient is enticed to open the attached file, the RAT is activated and able to send password and other sensitive information back to the hacker. With the acquired information, the hacker can enter the domain registry. Once in the domain registry, the hacker can change the names and modify websites."
At first SEA concentrated on hacking high profile social media accounts to deliver its propaganda messages. More recently it has started to use this DNS poisoning attack to redirect the real site's visitors to its own site. In both cases the legitimate owners have little difficulty in regaining control – often in hours but usually within days. What this new Army document demonstrates is that it considers SEA to be a potent, if so far somewhat limited, threat.