The Syrian Electronic Army (SEA) is a group of computer hackers which first surfaced online in 2011 to support the government of Syrian President Bashar al-Assad. Using spamming, website defacement, malware, phishing, and denial-of-service attacks, it has targeted political opposition groups, western news organizations, human rights groups and websites that are seemingly neutral to the Syrian conflict. It has also hacked government websites in the Middle East and Europe, as well as US defense contractors. As of 2011 the SEA has been "the first Arab country to have a public Internet Army hosted on its national networks to openly launch cyber attacks on its enemies".
|Syrian Electronic Army|
Syrian Electronic Army logo
|Formation||15 March 2011|
In the 1990s Syrian President Bashar al-Assad headed the Syrian Computer Society, which is connected to the SEA, according to research by University of Toronto and University of Cambridge, UK. There is evidence that a Syrian Malware Team goes as far back as January 1, 2011. In February 2011, after years of internet censorship, Syrian censors lifted a ban on Facebook and YouTube. In April 2011, only days after anti-regime protests escalated in Syria, Syrian Electronic Army emerged on Facebook. In May 5, 2011 the Syrian Computer Society registered SEA’s website (syrian-es.com). Because Syria's domain registration authority registered the hacker site, some security experts have written that the group was supervised by the Syrian state. SEA claimed on its webpage to be no official entity, but "a group of enthusiastic Syrian youths who could not stay passive towards the massive distortion of facts about the recent uprising in Syria". As soon as May 27, 2011 SEA had removed text that denied it was an official entity. One commentator has noted that "[SEA] volunteers might include Syrian diaspora; some of their hacks have used colloquial English and reddit memes.
According to a 2014 report by security company Intelcrawler, SEA activity has shown links with "officials in Syria, Iran, Lebanon and Hezbollah." A February 2015 article by The New York Times stated that "American intelligence officials" suspect the SEA is "actually Iranian". However, no data has shown a link between Iran's and Syria's cyber attack patterns according to an analysis of "open-source intelligence" by cyber security firm Recorded Future.
SEA has pursued activities in three key areas:
The SEA's tone and style vary from the serious and openly political to ironic statements intended as critical or pointed humor: SEA had "Exclusive: Terror is striking the #USA and #Obama is Shamelessly in Bed with Al-Qaeda" tweeted from the Twitter account of 60 Minutes, and in July 2012 posted "Do you think Saudi and Qatar should keep funding armed gangs in Syria in order to topple the government? #Syria," from Al Jazeera's Twitter account before the message was removed. In another attack, members of SEA used the BBC Weather Channel Twitter account to post the headline, "Saudi weather station down due to head on-collision with camel." After Washington Post reporter Max Fisher called their jokes unfunny, one hacker associated with the group told a Vice interview 'haters gonna hate.'"
In May 2018, two suspects were indicted.
The Syrian Computer Society acts as Syria's domain registration authority and regulates the Internet within Syria, and is also believed to be connected to Syria's state security apparatus. The Syrian Computer Society registered .sy domain names for the Syrian Electronic Army's servers, giving the hacker group a national-level domain name (sea.sy) rather than a .com or other non-government address, signifying its status as at least a state-supervised operation.
... the cybervandalism carried out in recent years by the Syrian Electronic Army, which American intelligence officials suspect is actually Iranian, and has conducted strikes against targets in the United States, including the website of The New York Times.
Just kidding. The Syrian Electronic Army was here.
Badlock is a security bug disclosed on April 12, 2016 affecting the Security Account Manager (SAM) and Local Security Authority (Domain Policy) (LSAD) remote protocols supported by Windows and Samba servers.Both SAM and LSAD are layered onto the DCE 1.1 Remote Procedure Call (DCE/RPC) protocol. As implemented in Samba and Windows, the RPC services allowed an attacker to become man in the middle. Although the vulnerability was discovered during the development of Samba, the namegiving SMB protocol itself is not affected.Bluehost
Bluehost is a web hosting company owned by Endurance International Group. It is one of the 20 largest web hosts, collectively hosting well over 2 million domains with its sister companies, HostMonster, FastDomain and iPage. The company operates its servers in-house in a 50,000 square feet (4,600 m2) facility in Provo, Utah, which is now shared with sister company HostMonster. Bluehost employs over 700 people in its Utah facility.
Bluehost was among those studied in the analysis of web-based hosting services in collaborative online learning programs.Bluehost offered shared hosting, WordPress hosting, VPS hosting, Dedicated Hosting, Cloud Hosting, WooCommerce Hosting and many more types of hosting and domain services. Bluehost servers are powered by PHP7, HTTP/2 and NGINX+ caching.Dexter (malware)
Dexter is a computer virus or point of sale malware which infects computers running Microsoft Windows and was discovered by IT security firm Seculert, in December 2012. It infects PoS systems worldwide and steals sensitive information such as Credit Card and Debit Card information.In December 2013, researchers discovered StarDust, a major revision of Dexter, which compromised 20,000 cards in active campaign hitting US merchants.
It was one of the first known botnets to target point-of-sale (PoS) terminals used by stores and restaurants to process customers' credit and debit card payments.DoublePulsar
DoublePulsar is a backdoor implant tool developed by the U.S. National Security Agency's (NSA) Equation Group that was leaked by The Shadow Brokers in early 2017. The tool infected more than 200,000 Microsoft Windows computers in only a few weeks, and was used alongside EternalBlue in the May 2017 WannaCry ransomware attack.Sean Dillon, senior analyst of security company RiskSense Inc., first dissected and inspected DoublePulsar. He said that the NSA exploits are "10 times worse" than the Heartbleed security bug, and use DoublePulsar as the primary payload. DoublePulsar runs in kernel mode, which grants cybercriminals a high level of control over the computer system. Once installed, it uses three commands: ping, kill, and exec, the latter of which can be used to load malware onto the system.Evercookie
Exactis LLC is a data broker established in 2015 and based in the U.S state of Florida. The firm reportedly handles business and consumer data in an effort to refine targeted advertising.Gigya
Gigya, Inc. is a technology company founded in Tel Aviv, Israel and headquartered in Mountain View, California with additional offices in New York, Tel Aviv, London, Paris, Hamburg, and Sydney. It offers a customer identity management platform for managing profiles, preference, opt-in and consent settings.ISeeYou
iSeeYou is a security bug affecting iSight cameras in some Apple laptops.Internet censorship in Syria
Internet censorship in Syria is extensive. Syria bans websites for political reasons and arrests people accessing them. Filtering and blocking was found to be pervasive in the political and Internet tools areas, and selective in the social and conflict/security areas by the OpenNet Initiative in August 2009.Internet connectivity between Syria and the outside world shut down in late November 2011, and again in early May 2013. Syria's Internet was cut off more than ten times in 2013, and again in March 2014. The Syrian government blamed terrorists for the cut off.Internet censorship in the Arab Spring
The level of Internet censorship in the Arab Spring was escalated. Lack of Internet freedom was a tactic employed by authorities to quell protests. Rulers and governments across the Arab world utilized the law, technology, and violence to control what was being posted on and disseminated through the Internet. The peoples of Egypt, Libya, and Syria witnessed full Internet shutdowns as their respective governments attempted to quell protests. In Tunisia, the government of Zine El Abidine Ben Ali hacked into and stole passwords from citizens’ Facebook accounts. In Saudi Arabia and Bahrain, bloggers and “netizens” were arrested and some are alleged to have been killed. The developments since the beginning of the Arab Spring in 2010 have raised the issue of Internet access as a human right and have revealed the type of power certain authoritarian governments retain over the people and the Internet.Kayako
Kayako is a customer service software company based in London, United Kingdom. Kayako builds customer service and help desk software which businesses use to talk to and support their customers. Kayako was founded in 2001 in Jalandhar, India and has since relocated its headquarters in London, United Kingdom. In addition to its London location, the company has offices in Gurgaon, India and Singapore.The company now serves 50,000 customers in over 100 countries, including Peugeot, De Beers, NASA and the American Motorcyclist Association.Kayako was cited as a direct competitor in Zendesk's (another help desk software company listed on the New York Stock Exchange) S-1 IPO filing with the Securities Exchange Commission.List of hacker groups
This is a partial list of notable hacker groups.
OurMine, a hacker group that compromised celebrities and YouTuber's Twitter accounts for "security" reasons.
SkidNP, a group of hackers around the time of 2015-2016 that performed many DDoS attacks around the Christmas holidays to websites such as Steam and Xbox also made defacements to many sites which also ended up in the leaking of website databases. The group had around 5-7 members such as Obstructable, HarmIessss, Stazexor and NullSploit. The group later died off at the end of 2016.
414s, named after area code; gained notoriety in the early 1980s as a group of friends and computer hackers who broke into dozens of high-profile computer systems, including ones at Los Alamos National Laboratory, Sloan-Kettering Cancer Center, and Security Pacific Bank.
AnonCoders is a group of hackers originating in 2015. Using defacements, denial of service attacks, database hijacking, database leaks, admin panel takeovers, social media accounts (Facebook, Twitter, Emails) and other methods, It mainly targets political groups and anti-Islam websites including news organizations, institutions and other government, semi-government, military and educational websites around the world. AnonCoders first attack was leveled against several major Israeli websites. In February, it attacked numerous French websites in opposition to cartoons of the Islamic prophet Muhammad published in Charlie Hebdo Magazine. The group has vandalized sites in Israel, Europe, and the United States.
Anonymous, originating in 2003, Anonymous was created as a group for people who fought for the rights for privacy.
Chaos Computer Club, is based in Germany and other German-speaking countries. Famous among older hackers.
Cicada 3301, a group of hackers and cryptographers that recruited from the public on three occasions between 2012 and 2014 by way of complex puzzles and hacking scavenger hunts.
Croatian Revolution Hackers, a now defunct group of Croatian hackers credited with one of the largest attacks to have occurred in the Balkans.
Cult of the Dead Cow, also known as cDc or cDc Communications, is a computer hacker and DIY media organization founded in 1984 in Lubbock, Texas.
CyberVor is the moniker given to a group of Russian hackers responsible for perpetrating a major 2014 theft of internet credentials.
DCLeaks, claims to be a group of "American hacktivists who respect and appreciate freedom of speech, human rights and government of the people."
Decocidio#Ө is an anonymous, autonomous collective of hacktivists which is part of Earth First!, a radical environmental protest organisation, and adheres to Climate Justice Action.
DERP A hacker group that attacked several game sites in late 2013.
Digital DawgPound (DDP).
Equation Group, suspected to be the offensive operations wing of the U.S. National Security Agency.
Ghost Squad Hackers, or by the abbreviation "GSH" is a poliltically motivated hacktivist team led by the administrative de facto leader known as "s1ege". The groups prime intent and focus is embedded on anti-governmental/organization cyber protests within current involvements of media speculation and real life happenings in 2016 to present.
Global kOS was a grey hat (leaning black hat) computer hacker group active from 1996 through 2000.
globalHell was a group of hackers, composed of about 60 individuals. The group disbanded in 1999, when 12 members were prosecuted for computer intrusion and 30 for lesser offences.
Goatse Security (GoatSec) is a loose-knit, nine-person grey hat hacker group that specializes in uncovering security flaws.
Hackweiser is an underground hacking group and hacking magazine founded in 1999.
Honker Union is a group known for hacktivism, mainly present in Mainland China, whose members launched a series of attacks on websites in the United States, mostly government-related sites.
L0pht, was a hacker collective active between 1992 and 2000 and located in the Boston, Massachusetts area.
Level Seven was a hacking group during the mid to late 1990s. Eventually dispersing in early 2000 when their nominal leader "vent" was raided by the FBI on February 25, 2000.
LulzSec, a group of hackers originating and disbanding in 2011 that claimed to hack "for the lulz". Currently broken up.
Legion of Doom; LOD was a hacker group active in the early 80s and mid-90s. Had noted rivalry with Masters of Deception (MOD).
Masters of Deception, MOD's initial membership grew from meetings on Loop-Around Test Lines in the early- to mid-1980s. Had noted rivalry with Legion of Doom (LOD).
Mazafaka, financially motivated group and crime forum.
milw0rm is a group of "hacktivists" best known for penetrating the computers of the Bhabha Atomic Research Centre (BARC) in Mumbai.
NCPH is a Chinese hacker group based out of Zigong in Sichuan Province.
P.H.I.R.M. The PHIRM was an early hacking group which was founded in the early 1980s.
RedHack is a socialist hacker group based in Turkey, founded in 1997. They usually launch attacks against Turkish government's websites and leak secret documents of Turkish government.
Shadow Brokers (The) (TSB), originating in summer 2016. They published several leaks of some of the National Security Agency (NSA) hacking tools.
Syrian Electronic Army is a group that claims responsibility for defacing or otherwise compromising scores of websites that it contends spread news hostile to the Syrian government or fake news.
TeaMp0isoN is a group of black-hat computer hackers established in mid-2009.
TeslaTeam is a group of black-hat computer hackers from Serbia established 2010.
TESO, was a hacker group originating in Austria that was active primarily from 1998 to 2004.
The Unknowns is a group of white-hat hackers that exploited many high-profiled websites and became very active in 2012 when the group was founded and disbanded.
UGNazi A hacking group led by JoshTheGod, founded in 2011. They are best known for several attacks on US government sites, leaking WHMC's database, DDoS attacks, and exposing personal information of celebrities and other high-profile figures on exposed.su.
YIPL/TAP - Youth International Party Line or Technological Assistance Program, was an early phone phreak organization and publication created in the 1970s by activist Abbie Hoffman.
Xbox Underground An international group responsible for hacking game developers, including Microsoft.Mahdi (malware)
Mahdi is computer malware that was initially discovered in February 2012 and was reported in July of that year. According to Kaspersky Lab and Seculert (an Israeli security firm which discovered the malware), the software has been used for targeted cyber espionage since December 2011, infecting at least 800 computers in Iran and other Middle Eastern countries. Mahdi is named after files used in the malware and refers to the Muslim figure.Metulji botnet
The Metulji botnet, discovered in June 2011, is a botnet mainly involved in cyberscamming and denial of service attacks. Before the botnet itself was dismantled, it consisted of over 12 million individual zombie computers infected with the "Butterfly Bot", making it, as of June 2011, the largest known botnet.It is not known what type of computers are vulnerable, or how to tell if a computer is a part of this botnet.OpenNet Initiative
The OpenNet Initiative (ONI) was a joint project whose goal was to monitor and report on internet filtering and surveillance practices by nations. The project employed a number of technical means, as well as an international network of investigators, to determine the extent and nature of government-run internet filtering programs. Participating academic institutions included the Citizen Lab at the Munk Centre for International Studies, University of Toronto; Berkman Center for Internet & Society at Harvard Law School; the Oxford Internet Institute (OII) at University of Oxford; and, The SecDev Group, which took over from the Advanced Network Research Group at the Cambridge Security Programme, University of Cambridge.
In December 2014 the OpenNet Initiative partners announced that they would no longer carry out research under the ONI banner. The ONI website, including all reports and data, is being maintained indefinitely to allow continued public access to ONI's entire archive of published work and data.PLA Unit 61398
PLA Unit 61398 (Chinese: 61398部队, Pinyin: 61398 bùduì) is the Military Unit Cover Designator (MUCD) of a People's Liberation Army advanced persistent threat unit that has been alleged to be a source of Chinese computer hacking attacks. The unit is stationed in Pudong, Shanghai.Syrian Computer Society
The Syrian Computer Society is an organization in Syria. It was founded by Bassel al-Assad in 1989, and was subsequently headed by his brother Bashar al-Assad, who would later become the President of Syria. It acts as Syria's domain name registration authority and has been reported to be closely associated with the Syrian state.In May 2013, 700 domains registered by Syrians, mostly hosted at servers with IP addresses assigned to the Syrian Computer Society, were reported to have been seized by the U.S. DNS infrastructure operator Network Solutions. The domain names became registered to "OFAC Holding", believed to be a reference to the U.S. federal government's Office of Foreign Assets Control.Some members of the Syrian Computer Society belonged to the first group of supporters of the Syrian Electronic Army.Tango (software)
Tango is a third-party, cross platform messaging application software for smartphones developed by TangoME, Inc. in 2009. The app is free and is popular for offering video calls over 3G, 4G and Wi-Fi networks.Tango has more than 200 million registered users as of March 2014 and, among Android devices, it is the 12th most downloaded app. It is rated by PCMag as "the simplest mobile chat application out there, with a good range of support."Viber
Viber is a cross-platform voice over IP (VoIP) and instant messaging (IM) software application operated by Japanese multinational company Rakuten, provided as freeware for the Android, iOS, Microsoft Windows, macOS and Linux platforms. Users are registered and identified through a cellular telephone number, although the service is accessible on desktop platforms without needing mobile connectivity. In addition to instant messaging it allows users to exchange media such as images and videorecords, and also provides a paid international landline and mobile calling service called Viber Out. As of 2018, there are over a billion registered users on the network.The software was originally developed in 2010 by Israel-based Viber Media, which was bought by Rakuten in 2014. Since 2017 its corporate name has been Rakuten Viber. It is currently based in Luxembourg. Viber has offices in San Francisco, Minsk, Sofia, Moscow, Paris, Singapore and Manila.
Hacking in the 2010s
|Major vulnerabilities |