SYRIA’S OTHER ARMY: HOW THE HACKERS WAGE WAR
By Matt Buchanan
At 5:41 P.M. on Tuesday, a tweet from the account of the hacker collective known as the Syrian Electronic Army, which supports the regime of Syria’s President, Bashar al-Assad, said, “Media is going down…” It had been a couple of hours since the Web site of the Times had gone offline for the second time this month. Roughly forty-five minutes later, the account asked Twitter, “Are you ready?” Some users had noticed that the backgrounds of their Twitter profiles had been transformed to Syria-related pictures. While Twitter quickly recovered, the Times continued to be inaccessible to some users for a day; as of 6:20 P.M. on Wednesday, the Times’s Twitter account was still advising those readers to use an alternate Web address.
The S.E.A.’s attacks on media organizations and journalists have been remarkably successful—in terms of collecting trophies, if nothing else. In 2012, it struck Al Jazeera several times, breaking into its English Web site, its Twitter accounts, and the network’s S.M.S. text service, which the S.E.A. used to broadcast multiple fake news alerts. This past March, it gained control of several BBC Twitter accounts. In April, it hijacked the Twitter account of the Associated Press, and tweeted, “Breaking: Two Explosions in the White House and Barack Obama is injured,” sending the Dow down around a hundred and fifty points that afternoon. It also defaced NPR’s Web site, and commandeered the Twitter accounts of “60 Minutes” and the Guardian. In May, it compromised the Twitter account of the Onion, tweeting vaguely Onion-ish headlines like “UN’s Ban Ki Moon condemns Syria for being struck by israel: ‘It was in the way of Jewish missiles’ onion.com/104PKAs.” That same month, it hacked the Financial Times’s Web siteand several associated Twitter accounts, as well as the account of E! News. Then it took over the Reuters Twitter feed. And earlier this month, it broke into Outbrain, a third-party service that recommends stories on news sites, allowing the S.E.A. to vandalize the Web sites of Time, CNN, and the Washington Post “in a single strike.” And it redirected Post readers to one of its own sites; that attack had been its most sweeping to date.
On Tuesday, the S.E.A. did not hack the Times or Twitter directly. Rather, it breachedMelbourne IT, a domain-name registration service that the Times and Twitter both used to manage their Web addresses. Once it had access to Melbourne IT, it altered the domain records of the Times and Twitter. In the Times’s case, it sent some users who went to the newspaper’s Web site to one controlled by the S.E.A.; for Twitter, it listed itself as the owner of twitter.com, and redirected one of the company’s addresses, twimg.com, which Twitter uses to host backgrounds for profiles, to one of the S.E.A.’s addresses. As the networking company CloudFlare explained in a detailed post about the attack, the Times suffered a prolonged outage because the changes made by the S.E.A. resulted in a chain reaction, breaking things at multiple levels.
The chief information officer of the New York Times Company told the paper that compared to previous attacks, the assault on the Times and Twitter through Melbourne IT was like “breaking into Fort Knox. A domain registrar should have extremely tight security because they are holding the security to hundreds if not thousands of Web sites.” Formed in 1996, Melbourne IT is the largest domain name registrar in Australia, and one of the oldest and largest globally; it managesmillions of domain names. It did, moreover, “have a reputation of being one of the more secure, business-oriented registrars,” said Jaeson Schultz, a threat-research engineer at Cisco Systems who has been following the S.E.A.’s activities, which is one of the reasons the registrar counts the Times, Twitter, and other large organizations among its customers.
But the S.E.A.’s method, though its execution was sophisticated, was rather simple conceptually: it began by gaining access to Melbourne IT’s system using the log-in of a U.S.-based domain reseller, which it obtained using a technique known as spearphishing. This is as much an exploitation of human weakness as it is a technical accomplishment: it’s a gambit designed to trick people into voluntarily revealing information in response to what appears to be a message from a legitimate Web site or service. For example, a link in an e-mail transports a user to what looks like Google’s log-in page, and then captures the user’s Google name and password.
Spearphishing through e-mail has consistently been the S.E.A.’s tactic of choice, Schultz said in a phone call. The S.E.A.’s attempts can be “tough to spot” for the average user because they’re so carefully crafted. It’s not just that the fake log-in screens are well executed; Schultz notes that, at this point, “they’ve broken into several different media organizations’ inboxes, and there’s probably a lot of good info in there,” like names and places that can be used to make e-mails seem legitimate. For instance, in the attack on the Onion, one of the booby-trapped e-mails purported to be from Elizabeth Mpyisi at the U.N. Refugee Agency—a real person—and the one on the A.P. used the name of an A.P. staffer, according to Jim Romenesko. Still, Schultz does believe the S.E.A. will “face diminishing returns” if it continues to use the same kind of attacks. After the latest breach, for instance, Domain Name System providers—which do the work of translating the recognizable Web address you type into a browser to its actual address (nytimes.com translates to 188.8.131.52, for example)—could hunt for addresses used by the S.E.A. to re-register domains, and prevent further damage from occurring. Moreover, it’s likely that organizations will put in place additional measures to secure their domains—requiring, for instance, any change to the domain record to be authorized by one of a small number of individuals. “They’re going to have to adapt,” Schultz said.
The S.E.A. already has adapted in a way that makes its attacks more punishing: while previous assaults focussed on media organizations directly, the S.E.A. has recently begun targeting third-party services and infrastructure that the media rely on, allowing it to hit multiple targets at once. The widespread use of third-party services for things like commenting or content recommendations makes each site only as secure as its weakest service. Last week, the S.E.A.compromised the GoDaddy domain account of ShareThis, a content-sharing company whose widget is on more than two million Web sites, and changed its domain records. Its occupation of Outbrain a couple of weeks ago is another example, as was its incursion into SocialFlow, a social-media management service used by a number of publishers.
Few concrete facts are known about the S.E.A., but it has the appearance of a loose hacker collective. It formed in 2011, in the midst of the Syrian uprisings, and it is assuredly pro-Assad. It has targeted Web sites and services associated with dissidents and organizations it believes are aligned with rebels, as well as media organizations. It said, of Tuesday’s attack, that it “placed twitter in darkness as a sign of respect for all the dead #Syria-ns due to the lies tweeted it.” In what it called “an anti-war message” posted on Pastebin, the group stated, “The Syrian army, which has lost tens of thousands of soldiers who were defending their homeland with nothing more than a rifle, would never have been the one to use chemical weapons.”
Whether the S.E.A. is under the control of the Syrian government is unclear. The Times notesthat Syrian rebels and some security researchers consider the S.E.A. to be the “outward-facing campaign of a much quieter surveillance campaign focused on Syrian dissidents,” and note that Assad has publicly touted the group as “a real army in a virtual reality.” Moreover, the Syrian Computer Society, which regulates the Internet within Syria—and was headed by Assad before he became President—at one pointed hosted the group’s Web site at the address sea.sy, after its original domains were seized by a U.S.-based domain registrar. In May, the S.C.S. cut the group off, and in interviews, self-proclaimed leaders of the group have claimed to have no direct ties to the government, monetarily or otherwise. (While the S.E.A.’s Web sites are currently down, the security researcher Brian Krebs notes that the domains are now hosted in Russia.) In a recent interview with the Daily Beast, a supposed leader of the group, calling himself “SEA the Shadow,” said that the S.E.A. is made up of nine college students living in Syria. WhileMotherboard and Brian Krebs each claim to have unmasked a member of the group, the S.E.A.’s Twitter account has mocked them and called the Motherboard article “false.” (E-mails sent to the group have so far gone unreturned.) Read more in The New Yorker.