Outage Summer: What To Know About The Syrian Electronic Army

Aug 27, 2013
Originally published on August 28, 2013 5:39 pm

In the latest hacking that brought down The New York Times on Tuesday, evidence points to the activist group of hackers known as the Syrian Electronic Army. This group also took out The Washington Post briefly last week and has used phishing attacks to take control of NPR.org and other national news organizations in previous months. The Washington Post notes:

"Several news Web sites, including The Washington Post, were affected by a breach at the third-party content provider Outbrain, which redirected some visitors to sites promoting the online activist group, the Syrian Electronic Army."

You may recall The Times just suffered a two-hour outage earlier this month, but a spokeswoman blamed that on an internal error and not a "malicious external attack," which is how she described today's incident.

So What Is The Syrian Electronic Army?

The SEA is a group of anonymous computer hackers who support embattled Syrian President Bashar Assad. The group seems to have emerged during the rise of anti-regime protests in Syria in the spring of 2011. While Assad has a background in computing, "the group's formal ties to the administration are unclear," The Post reports.

Infosecurity Magazine did note, however, that the group's official website was registered by the Syrian Computer Society, and Reuters reported that the Syrian Computer Society is "a group now widely believed to have been something of a precursor to the 'Syrian Electronic Army.' "

Biggest "Hits"

The SEA has been hacking social media accounts associated with major news organizations and human rights organizations. It successfully hacked the Associated Press' Twitter account in April and falsely tweeted that the White House was bombed and that President Obama was injured. That tweet sent the stock market spinning, briefly losing $136 billion in value. (On Tuesday, the SEA reportedly hacked Twitter's registry accounts and altered contact details and domain name server information, The Next Web said.)


Targets seem to fall into three categories: media properties, communications companies and political activists in Syria. Among media targets, prominent names are on the list of SEA victims. They include the AP, BBC, NPR, Human Rights Watch, Al-Jazeera, Reuters, The Washington Post, The New York Times, Saudi-based broadcaster Al-Arabiya, Harvard University and a number of Twitter accounts associated with these organizations.

Communications companies like Twitter, and previously, Viber, a free VoIP and text messaging service, have been targeted. But, as Reuters notes, the most important targets of the SEA are likely inside Syria:

"The true priority for the real computer experts of both the government and opposition, most believe, will be the cat and mouse game between government surveillance systems and the opposition networks they are trying to track.

"For Assad's opponents, evading government detection has long been a matter of life and death. Autocratic governments around the world, specialists say, have put considerable effort into tightening their Internet surveillance on potential dissidents since last year's 'Arab spring' ousted rulers in Tunisia, Egypt, Libya and Yemen.

" 'The primary target of SEA is certainly their own citizens,' said Alexander Klimburg, cyber security expert and fellow at the Austrian Institute for International Affairs."


The SEA spreads political propaganda supportive of Assad and his regime. When the group hacked Reuters, for example, it posted a series of tweets linking to a pro-government cartoon. When the group attacked NPR in April, this statement appeared on the SEA's Twitter page, an account that is now suspended:

"We will not say why we attacked @NPR ... They know the reason and that enough #SEA #Syria."

As our Two-Way blogger Mark Memmott noted, another message read, "We hope that NPR got our message #Syria."


These attacks come as U.S. leaders ramp up their language about how Syria should be held accountable for chemical attacks on its people.

"While the SEA frequently makes attacks that aren't particularly clear in their intention, others have clearly targeted tools that are used throughout the Middle East by rebels," writes technology site The Verge.

Copyright 2018 NPR. To see more, visit http://www.npr.org/.


You may have noticed that The New York Times' website was knocked offline yesterday. The Syrian Electronic Army, a group that supports Syrian President Bashar al-Assad, claimed responsibility for the action. The hacktivists, as such groups are known, have launched a series of high profile attacks this year.

NPR's Steve Henn tells us what's known and what's not about the Syrian Electronic Army.

STEVE HENN, BYLINE: In the last six months, the Syrian Electronic Army has targeted NPR, the AP, Reuters, Harvard, the White House, The Washington Post, and now, The New York Times.

KENNETH GEERS: They have achieved numerous tangible successes on the cyber battlefield, the depth and the breadth of which indicate some level of state sponsorship.

HENN: Kenneth Geers is at the IT security firm FireEye. Previously, Geers worked for the Naval Criminal Investigative Service and the NSA. And he points out that not all of the Syrian Electronic Army's attacks have focused on media companies or propaganda.

GEERS: A couple of weeks ago, they took down three very large online telecommunications websites that could give Syrian intelligence access to many, many people that they would be looking for.

HENN: The precise role the group plays isn't clear but there are signs of its connection to the Assad regime. The Syrian Electronic Army's official website was registered by the Syrian Computer Society. In the late '80s and '90s, before he entered politics, Bashar al-Assad served as the society's president. But there's still debate in the security community about whether or not this group is really more of a loosely affiliated group of online hacktivists, kind of like a pro-Assad version of Anonymous.

In most of the group's attacks the hackers have tried to trick their targets into handing over their sign-in information on sensitive, protected accounts.

MIKE CONVERTINE: Credential stealing is not exactly the pinnacle of skill.

HENN: Mike Convertino is a security expert CrowdStrike and a former Air force colonel. Convertino says what's even more telling is what the group does once it gets inside a system. Typically it tries to take down a website or post pro-Assad messages.

CONVERTINE: This tends not to be the kind of thing that governments do.

HENN: Instead, he says, sophisticated state actors would be more likely work to gain more access and then gather intelligence. If they compromised a news organization's email accounts they'd start searching for opposition sources in Syria.

CONVERTINE: Absolutely, you would use those accesses to reporters if you had dissidents that you were worried about, to track the dissidents.

HENN: Yesterday's attack, which knocked The New York Times website offline, didn't infiltrate The Times' servers themselves. Instead it attacked the system that routes Internet traffic around the globe. In effect, hackers took control of The New York Times domain name, www.nytimes.com, and rerouted traffic to a site they controlled.

Attacks like that probably don't help the Assad regime on the ground but they're dramatic. And yesterday, they gave the Syrian Electronic Army a propaganda victory, as the U.S. and its allies make the case for armed strikes.

Steve Henn, NPR News, Silicon Valley. Transcript provided by NPR, Copyright NPR.