Syrian Electronic Army

The Syrian Electronic Army (SEA) is a threat actor group directly aligned with President Bashar al-Assad’s regime in Syria. Known initially for its hacktivism, the SEA has, over time, apparently compromised many media targets. One of many examples was their attack on the Financial Times. While this attack vector initially involved only email, their goal was to steal and compromise additional account credentials. The F.T. responded promptly and warned employees and stakeholders immediately of the ongoing threat. The Syrian Electronic Army, in response, sent phishing emails that appeared to mimic the Financial Times I.T. internal communications and thus were able to compromise even more users!

It is worth noting that Russia has been similarly aligned in its support of the administration of President Bashar al-Assad of Syria since the beginning of the Syrian conflict in approximately 2011. In September 2015, Russia supported al-Assad with military aid and direct military involvement. So, threat researchers may be well rewarded by maintaining vigilance on cyber activities related to the SEA and other al-Assad-aligned threat groups, as they may ultimately link to Russian state entities or state-sponsored threat actors.

The origin of the Syrian Electronic Amry is murky, but some of their organization’s members are based within universities within Syria. The SEA also appears to have equally obscure links to the militant group Hezbollah. Most revealing is that by tracking SEA’s financial statements, it is now believed that they have direct backing from Syrian government organizations.

Hezbollah is a Shiite Muslim political party and militant group based in Lebanon. Hezbollah has extensive security resources, a highly active political organization, and a widespread social services network designed to gain the support of the Lebanese populace. In addition, Hezbollah often works in coordination with Iranian threat actors.

The rabbit hole may go deeper than we know. All of this makes the resources, connections, and future activity of the SEA challenging to forecast. The SEA maintains that it is not taking orders or direction from Syrian government entities. However, the SEA does appear to forward information obtained during hacking activities to the Syrian government. To make the issue even more complex, several years ago, unnamed intelligence officials in the west commented that threat actors and government entities within Iran might back SEA.

The Syrian Electronic Army generally targets media organizations in the United States and other western countries. SEA also targets people working in foreign government organizations and military branches. In many cases, this personnel is a target for espionage. This cyber espionage is mainly disavowed by SEA. An example of their activity included an attack on Reuters, during which SEA redirected a page that read, “Hacked by the Syrian Electronic Army.” This desire for attribution and recognition is most typical of hacktivist activity. They want to self-proclaim their fame and capabilities to the public at large. Almost nine years ago, SEA malicious activity included targets such as The Washing Post, CNN, Time, and the New York Times.

The goals of activists such as the Syrian Electronic Army are to proclaim their beliefs on issues involving Syria. SEA activity primarily attempts to scare or intimate government officials and journalists that take a position against the al-Assad regime.

Although years ago, the threat group got the U.S. government’s attention such that official charges were filed against three individuals central to SEA’s malicious activity. They were charged with hacking, creating a hoax about a terrorist attack, and attempting to cause a mutiny within the U.S. armed forces. As a result, two individuals were placed on the FBI’s “Cyber” Most Wanted List with $100,000 rewards. The third suspect was in Germany.

In terms of cyber tools and malicious code, SEA has invested over time in malware called SilverHawk. SilverHawk is being built into fake updates for various security and privacy-focused communications apps, including WhatsApp and Telegram. The SEA also created Microsoft Word, and YouTube fakes filled with the SilverHawk spyware in their attempts to hack into Google Android devices.

More recently, the Syrian Electronic Army was potentially linked to a Syrian government-backed hacking campaign that distributed spyware coronavirus-themed applications. The hacking campaign unsurprisingly targeted critics of the Syrian government. Not always directly attributable to SEA, many malicious Android spyware applications are linked to coronavirus lures that Syrian-linked hackers have released.

Want to learn more? Check out our FREE Bugcrowd University to sharpen your hacking skills.

Organizations the world over need your help! Join our researcher community to connect with hundreds of organization programs focused on finding their security vulnerabilities. Our vast directory includes programs for all skill levels across many industries and from around the world.