Syrian Electronic Army Hacks Microsoft, and the Country Disappears from the Web

The Syrian Electronic Army has released what it alleges are hacked invoices from Microsoft
The Syrian Electronic Army has released what it alleges are hacked invoices from Microsoft

The news ironically comes as Akamai Technologies, Renesys and others reported Syria as effectively disappearing from the internet in a wholesale outage of connectivity.

The documents – if they’re real, and neither party is confirming that they are – show that Microsoft charges the DITU anywhere from $50 to $200 per transaction for the requested customer information, with monthly totals reaching significant chunks of change. For instance, December 2012’s total was $145,100; for August 2013, it was $352,200. And so on.

But real or not, Microsoft has copped to the fact that this sort of thing is par for the course. "Regarding law enforcement requests, there’s nothing unusual here," a Microsoft spokesperson told the Verge. "Under US law, companies can seek reimbursement for costs associated with complying with valid legal orders for customer data. We attempt to recover some of the costs associated with any such orders."

That may be, but consumers may feel differently, particularly if there’s an air of profiting from surveillance – a perception that runs counter to all of Microsoft’s attempts to reassure customers that it’s not doing anything unsavory with spy agencies. Transparency has become a new brand for Microsoft in the wake of Edward Snowden’s leaks about mass surveillance and tech companies’ possible roles in it. This may be a legal – and limited – way for it to give law enforcement access to citizen data, but the “optics” of it, as political analysts say, aren’t exactly positive for the world’s largest software company.

That plays to the SEA’s core mission. The organization is a pro-Syria hacktivist group with a long history of hacking popular Western targets ranging from the New York Times to NPR to even the Onion faux news site. Typically it hijacks Twitter feeds or defaces homepages, as it did with Microsoft itself back in January. But it has been escalating its tactics, and in this case it says it lifted documents using a standard phishing gambit to gain email credentials – and it subsequently leaked those documents to The Daily Dot for analysis, going that much further to undermine consumer confidence.

“This latest news once again highlights the SEA’s success using data entry phishing attacks,” said Scott Gréaux, vice president at PhishMe, in a statement. “By removing malware from the equation they are able to evade existing technologies to steal data, embarrass media outlets and overall further their political agenda.”

However, that agenda may not be furthered at all without access to the internet. All 84 of Syria’s IP address blocks became unreachable on Thursday night, effectively removing the country from the Internet.

As Renesys explained in a blog:

“Looking closely at the continuing Internet blackout in Syria, we can see that traceroutes into Syria are failing, exactly as one would expect for a major outage. The primary autonomous system for Syria is the Syrian Telecommunications Establishment; all of their customer networks are currently unreachable.

Now, there are a few Syrian networks that are still connected to the Internet, still reachable by traceroutes, and indeed still hosting Syrian content. These are five networks that use Syrian-registered IP space, but the originator of the routes is actually Tata Communications. These are potentially offshore, rather than domestic, and perhaps not subject to whatever killswitch was thrown today within Syria.

These five offshore survivors include the webservers that were implicated in the delivery of malware targeting Syrian activists in May of this year.”

What’s hot on Infosecurity Magazine?