Syrian Electronic Army Escalated Tactics Over 2013; Poised for More this Year

The Syrian Electronic Army was formed in May 2011 to push out pro-Assad messaging around the Syrian conflict
The Syrian Electronic Army was formed in May 2011 to push out pro-Assad messaging around the Syrian conflict

According to the CrowdStrike 2013 Global Threat Report, a copy of which was provided to Infosecurity, the Syrian Electronic Army (which it calls Deadeye Jackal) was formed in May 2011 to push out pro-Assad messaging around the Syrian conflict. The initial activity revolved around Facebook spamming and other disruptive attacks before moving on, in September of 2011, to website defacements. 

Early last year, in February, the SEA began a series of attacks leveraging social engineering to hijack the social network accounts of prominent news organizations. The hits came in a string: the New York Times, the Washington Post, the Financial Times, NPR, Reuters, AP, the BBC and even the satirical news organization known as the Onion.

Slowly, the attacks began having ramifications beyond simple nuisance. “One significant operation occurred on 23 April 2013, when the adversary took over the Twitter account of the Associated Press (AP) and sent out a message stating that the White House had been attacked and President Obama was injured,” noted CrowdStrike, in its report. “The White House released a statement correcting the report within minutes, but during that time the Dow Jones dropped more than 150 points."

Then, it moved up to the big leagues in July 2013. It initiated a number of attacks against communication technology companies and third-party service providers of major media outlets, resulting in data exfiltration and disruption of social media and web properties. It’s believed that some were chosen based on a belief that Syrian oppositional groups were using the communication platform.

The first of these attacks occurred against Truecaller, a global telephone directory that incorporates crowdsourcing to aggregate data about telephone numbers and with whom they are associated. Then, it compromised and exfiltrated data from the network of a company called TangoME, a voice and messaging communication platform. Subsequently, in late July, it hit mobile voice and messaging company Viber.

“It is possible that Tango [and Viber were] chosen as a target because of a belief that Syrian oppositional groups were using the application to coordinate protests and attacks against pro-regime forces,” CrowdStrike noted. The SEA claimed to be providing the information to the Syrian government.

Now, since September 2013, the SEA “has been engaged in sustained spear phishing campaigns with the purpose of credential collection from U.S.-based media outlets and government entities,” the firm said.

In October 2013, CrowdStrike Intelligence became aware of a SEA-led spear phishing campaign for the purpose of credential collection.

“This was the first indication that Deadeye Jackal was using its victims’ infrastructure to support its ongoing operations,” CrowdStrike said. “Spear-phish emails appeared to come from individuals at Saudi Arabia’s Ministry of Foreign Affairs, media organizations (NBC and Tribune Company), and a company that provides email and other messaging services to the U.S. government (GovDelivery).”

Users clicked on what appeared to be a link to a news story, but the actual link went to a URL, which immediately redirected users to spoofed webmail login pages.

“Given the observed development of Deadeye Jackal since May 2011, from Facebook spamming to account takeover to data exfiltration and then to more efficient targeting against third-party service providers of victims, it is quite plausible that this adversary would use the infrastructure of their previously compromised victims as a resource to support ongoing campaigns,” the firm said.

Taken in total, these operations targeted both high-profile media organizations and US government entities, as well as third-party communications platforms. The common technique across the various operations was credential collection activity accomplished using spear phishing attacks, and attacks on third-party service providers.

“As we look at what 2014 has in store, there are a number of areas where ongoing conflict is likely to continue, and some where it may intensify,” CrowdStrike said. “The Arab Spring continues to impact governmental stability in parts of the Middle East/North Africa region; this is an area to watch for proliferation of cyber operations. Within that geographical area, Syria remains an area of concern, but more alarming is the influx of Syrian refugees into surrounding countries, particularly Jordan, which could potentially drag those countries into the conflict.”

What’s hot on Infosecurity Magazine?