How SEA hacked email accounts of Assad’s opponents

Motherboard published an interesting report on an espionage campaign led by the Syrian Electronic Army (SEA) against the opponents of the Syrian Government.

Today I decided to present a very interesting story published by Lorenzo Francesco Bicchierai on Motherboard. It is a story about intelligence activities and how hacking supported them.

Let’s start from the victim, Dan Layman which is the Director of Media Relations at the Syrian Support Group.

On November 19, 2013, Dan Layman received a disconcerting email from a fake address admin@fbi-useless.gov.

“We are watching you,” “No one will help you. You are all going down.”

The culprit is the Syrian Electronic Army (SEA), the popular group of hackers aligned with Syrian President Bashar al-Assad, which in the past has hacked high-profile targets including Microsoft, eBay and PayPal.

The SEA claims to have also hacked into the email accounts of Louay Sakka, founder of the SSG; Mazen Asbahi, the former president of the SSG; and Oubai Shahbandar, a former Pentagon analyst and an advisor to the Syrian Opposition Coalition.

The motive is the cyber espionage, the members of SEA launched the campaign at the end of 2013 but there was no news about the operation until now. SEA conducted targeted spear phishing attacks against a number of high-profile people in the Syrian opposition, including Salim Idris, the chief of staff of the Supreme Military Council (SMC) of the Free Syrian Army.

The SEA confirmed have hacked seven high-profile people and offered to Motherboard the proof of the attack, but security experts speculate that many other individuals fell victim of the operation.

The SEA has stolen from the victims any information related activities against the government of Syrian President Bashar al-Assad.

“If this is correct, it nuances the picture about how the SEA’s activities have diversified,” said John Scott-Railton, a researcher at the Citizen Lab. “At various times they might have been quietly hacking to collect information in the service of the regime.”

According to the revelation of a SEA member, the Layman email account was simply hacked through brute force attack that revealed the use of “easy and weak” passwords made by the political exponent. The SEA tried to compromise the Layman’s network of contacts by controlling the Layman’s email account. Among the targets members of the Free Syrian Army and of the Syrian Support Group.

Motherboard examined a collection of screenshots provided by SEA as evidence of the attack that report data stolen from the dissidents’ email accounts, including the Idris’s passport and the names of SSG collaborators in Syria.

Layman confirmed that the violation of his email account provided the SEA secret information, including SSG project proposals and shipment recipients and routes.

“There are also exchanges with government officials, such as an email with several US State Department members, or an email discussion with a UK Foreign and Commonwealth Office representative about negotiations regarding military assistance. Other stuff seems more innocent, like press releases or emails discussing well-known legislative proposals in the US.” reports Motherboard.

The SEA member Th3 Pr0 told Motherboard that the group is aware about the plan to subvert the regime, despite no data appears to be related to military secrets.

“We were watching their moves,”  “And what they were planning.”

Louay Almokdad, the former spokesperson for the Free Syrian Army, confirmed to be a victim of the SEA, but he denied that any sensitive data was obtained by the hackers.

In response to the email hack, Layman said he took extra cautions when sending emails to avoid to advantage  the hackers.

“That was our standard operating procedure for a couple of months after to make sure we wouldn’t get hacked again,” he said.

But SEA confirmed to have access to the victim’s accounts for a long time. The news of hacking operation against dissidents in Syria is not a novelty. In February, security firm FireEye revealed that hackers tapped into Syrian opposition’s computers and have stolen gigabytes of secret communications and battlefield plans.

The hackers infected the machines of Syrian opposition with malware during flirtatious Skype chats. The hackers targeted several exponents of the Syrian Opposition located in Syria, including armed opposition members, humanitarian aid workers, and media activists.

Let me suggest to read the article published on Motherboard which is full of interesting information.

Pierluigi Paganini

(Security Affairs –  SEA, Syria)