Earlier this month, several employees of the satirical news website The Onion received what looked like harmless unsolicited emails, containing apparently innocuous hyperlinks.
One such message purported to be from an address at the UN High Commissioner for Refugees; it invited the recipient to click through to an article seemingly from The Washington Post. In fact, the link redirected to a page that asked for the user’s Gmail password. The email had come not from the UN, but from the hacktivist group known as the Syrian Electronic Army (SEA).
According to a report of the incident published afterwards by The Onion, at least one of its employees was taken in by the SEA’s phishing attack on 3 May. From that person’s email account, the hackers emailed several more Onion staff on 6 May, directing them to another shady weblink.
Two unwittingly surrendered their Google credentials, one of whom had access to the site’s social media accounts. Before The Onion could plug the leak the SEA started posting from the site’s Twitter account, to its almost five million followers.
The tweets were in a tone familiar to fans of Onion humour, but in a somewhat different spirit. “UN retracts report of Syrian chemical weapon use: ‘Lab tests confirm it is Jihadi body odour [sic]’,” read one example. As the world became aware of the hack, The Onion responded with what it does best: satirical news. The headline “Syrian Electronic Army has a little fun before inevitable upcoming deaths at hands of rebels” appeared on its website later the same day.
Social media has played a significant role in the Syrian civil war. In spite of widespread internet censorship and at least two lengthy communications blackouts, pro-revolution campaigners have used the web to spread information, to organise resistance and to generate support inside Syria and beyond. They have been matched, however, by the counter-revolutionary hacktivists of the SEA, staunch supporters of the regime of President Bashar al-Assad, who claim the rebel forces are really Western-backed Islamist terrorists. SEA hackers have made it their mission to humiliate those media outlets they perceive as hostile to Damascus.
In a June 2011 speech, President Assad himself praised the SEA for its efforts, describing the group as a “virtual army in cyberspace”. SEA hackers have since commandeered the Facebook pages of Oprah Winfrey and Nicolas Sarkozy, the tweets of the Fifa President, Sepp Blatter, and the website of Harvard University, whose homepage was redesigned as pro-Assad propaganda.
But their most high-profile hacks have been the Twitter accounts of major news outlets, including the Financial Times, NPR, BBC Weather, The Guardian and E! News. An attempt to hack the accounts of journalists at The Independent last week proved unsuccessful.
In spite of its unsophisticated phishing methods, the SEA was even able to cause a brief $136bn (£89bn) dip in the Dow Jones Index on 23 April, after it hijacked the Associated Press’s Twitter feed to claim that President Obama had been injured in a bomb attack on the White House.
Some observers suspect the SEA is a leaderless, self-organising group similar to the notorious hacking outfit Anonymous. But the SEA has an official website and a nominal leader, a 24-year-old hacker known as The Shadow. In an email interview with The Independent, Th3Pr0, the head of the SEA’s Special Operations division, said the group began as a Facebook community. “Firstly it was a page on Facebook,” he said. “Within a few days more than 60,000 Syrians joined. Facebook shut it down, and then a website for the group was launched in addition to accounts on all social media sites. Many people joined us, hundreds, thousands.”
The group arose, he claimed, from an organic mass of young Syrians, supportive of the government but not under its direction. They worked together online, from their homes and laptops inside and outside Syria, using simple hacking skills gleaned from the internet. “Our mission was to defend our country against the media campaign, first in the Arab media, and lately the Western media,” Th3Pr0 said.
“We don’t take money for our work, it’s our duty to defend our country … We are not working to achieve anything. We want to defend our country in cyberspace, and that’s all.”
James Lewis, a cyber-security expert at the Centre for Strategic and International Studies in Washington, DC, suggests the motivations of the SEA were emotional rather than strategic. “Think of it as digital graffiti,” he said. “You can spray graffiti on the World Bank headquarters saying ‘Down With Capitalism’, or you can deface their website. Either way, it’s a protest that makes you feel better but doesn’t have much effect. Assad can’t picket in front of the BBC headquarters, but he can encourage people to take over the BBC Weather Twitter feed.”
The level of President Assad’s involvement in the SEA’s activities is open to debate. Its members deny any direct connection with the Syrian government, but several experts dispute their claims of independence. Shortly after the SEA came to public attention two years ago, the University of Toronto academic Helmi Noman noted that the group had links to the Syrian Computer Society, of which Mr Assad himself was once the head.
Amjad Baiazy, a Syrian-born cyber-researcher who spent seven weeks as a prisoner of the regime in 2011, has speculated that the SEA is funded by the Syrian government, and trained by Iranian computer experts.
“It would be possible for amateur beginners to do everything the Syrian Electronic Army has done,” said Mr Lewis. “But it’s not plausible that they’re acting independently, without any connection to the government. Ask yourself: are there any anti-Assad groups in Syria who have been able to carry out this kind of thing?
“If the answer is no, it means the government is either consenting to or directing SEA activity. One technique would be to have a domestic intelligence agent recruit one person, who then sets up informal online groups. So the link to the government could be very tenuous – but it’s still there.”
A report in The Guardian even cited SEA defectors claiming Mr Assad’s wealthy cousin Rami Makhlouf had funded the relocation of the SEA’s headquarters to Dubai. “Not true,” said Th3Pr0. “They lied again.”
Wherever the attacks come from, they are set to continue. “All the enemies of Syria are targets for us,” Th3Pr0 went on. “Every media [outlet] that keeps publishing false reports and news about Syria is also a target … We are taking the attacks to the highest level.”
Hacked by the Syrian Electronic Army
Hackers for the Syrian Electronic Army claimed responsibility for hijacking the Associated Press Twitter account on 23 April, and tweeting that explosions at the White House had injured President Obama. The report prompted the Dow Jones to drop briefly by more than 150 points.
“Hacked by the Syrian Electronic Army” was the message posted as a headline on the FT’s technology blog last week. The paper’s Twitter accounts were also compromised, with the hackers using the FT Markets account to tweet “The Syrian Electronic Army was here” to hundreds of thousands of followers.
A series of tweets about fake weather conditions in Middle Eastern countries appeared on the BBC Weather Twitter account on 21 March, including “Saudi weather station down due to head-on collision with camel.” The SEA later claimed responsibility.