The Syrian Electronic Army has been in the news a lot lately — in more ways than one. But who are they, what is their motivation, and why have they had so much success thus far?
They've taken down The New York Times, hijacked the Associated Press' Twitter feed and duped many into believing the White House had been bombed (the world panicked and the stock market plummeted before the deception was discovered).
This group of hackers, which supports the regime of Syrian President Bashar al-Assad, also appears to be responsible for hacking a number of other media websites, including NPR, The Washington Post and fake news site The Onion. In early August, the SEA hacked the blog of a contributor to Britain's Channel 4 news and posted a fake report of a nuclear strike on Syria.
In each case, the hacks seemed to come in response to an article or post that the SEA deemed anti-Assad.
The SEA's favored hacking methods include distributed denial of service (DDoS) attacks, in which hackers bombard a website with so many page views that they overwhelm the servers, effectively taking the website offline.
The SEA is also known to use phishing, which means sending official-seeming emails and websites to trick people into divulging login information. Once the SEA has this information, it places false or inflammatory posts on the compromised accounts.
Neither of these techniques is particularly sophisticated in terms of technical skill, but the SEA has been able to use them to great effect.
The most high-profile attack came on Aug. 27, when the SEA (or an organization claiming to be the SEA) effectively knocked The New York Times' website offline.
This time the SEA used a domain name system (DNS) attack, which is when attackers cause a url (in this case "www.nytimes.com") to be associated with a different webpage. In this case, visitors to "www.nytimes.com" instead found themselves on a website emblazoned with the banner "hacked by Syrian Electronic Army."
In terms of technical savvy, a DNS attack is only slightly more sophisticated than the SEA's previous attacks. However, given the prestige of its target and the amount of control — however brief — the SEA gained over The New York Times' Web domain, it appears the SEA is upping the ante of its attacks.
Who are the Syrian Hackers?
Knowing what the SEA has done and how they did it is one thing. But it's still unclear exactly who and what this group is.
"The SEA is not an organization that we understand," Kevin O'Brien, an enterprise solutions architect from cloud security company Cloudlock, told Tom's Guide.
"There's not a group of actual state hackers — [the SEA] seems to be a quasi-political group of hackers who are doing certain things in the name of a political conflict happening around the world," he wrote.
The SEA first appeared in May 2011 when its first website, Syrian-es.com, went live.
At first, this website described the SEA as a group of young Syrians with no official ties to the Syrian government who wished to "fight back" against the country's enemies. However, two weeks after the website went live, the part claiming that the group was unofficial was removed.
The SEA's ties to al-Assad
Most of the SEA's websites were registered by the Syrian Computer Society, which serves as a registry for Syrian-based websites. The Syrian Computer Society was founded by Bashar al-Assad's brother Bassel al-Assad in 1989, and Bashar al-Assad later headed it before becoming president.
The Syrian Computer Society even gave the SEA a domain name ending in ".sy" (as opposed to ".com" or ".org"), which is usually reserved for official Syrian Computer Society websites. This is the SEA's only confirmed government connection.
In a June 2011 speech, Bashar al-Assad praised a number of Syrian citizen groups for supporting his regime, including the SEA, which he said "has been a real army in virtual reality."
The SEA posted on its website that it was honored to be acknowledged, but reiterated that it had no official ties to al-Assad's government.
In 2013, a representative of the SEA describing himself as "a (not the) leader" told The Daily Dot that "we are not supported by anyone or part of the government. We are just Syrian youths who want to defend their country against the media campaign that is full of lies and fabricated news reports."
In April 2013, a U.S. Web service provider called Web.com seized hundreds of domain names registered in Syria, citing trade sanctions against Syria as the reason for the action. Due to this action a majority of the SEA's websites offline, so the SEA moved the domains "sea.sy" and "syrianelectronicarmy.com" to a Russian Web host.
All that this background tells us is that some type of group calling itself the "Syrian Electronic Army" exists. The SEA's membership, recruitment methods and internal hierarchy are still a mystery.
Without more information about how the group makes decisions and executes attacks, it's impossible to know whether the SEA is responsible for The New York Times attack or even any of the other attacks associated with the group.
For example, just because the SEA claims responsibility for a hack doesn't necessarily mean that it's responsible; the group may be trying to increase its fame by riding on others' coattails.
Similarly, there's no way to tell whether a hacker claiming to represent the SEA actually has any ties with the organization.
And it's unclear what kind of resources or training the SEA has. They may not work directly with the Syrian government, but experts suspect that the SEA's membership includes some current and former government officials.
Thus far, the SEA has only launched unsophisticated attacks, but what the group lacks in technical finesse, they've made up for in persistence. As shown by the string of high-profile disruptions they've caused, their methods are working.