Experts Assess Syrian Hackers’ Capabilities

Emelie Rutherford, Global Security Newswire
Add to Briefcase
See more stories about...
Emelie Rutherford, Global Security Newswire
Oct. 23, 2013, 11:02 a.m.

WASH­ING­TON — A Syr­i­an hack­ing group’s re­por­ted de­fa­cing of Qatari gov­ern­ment webpages over the week­end could sig­nal a new dir­ec­tion for the or­gan­iz­a­tion that has in­filt­rated West­ern news web­sites and is loy­al to Bashar As­sad, the civil-war-torn coun­try’s em­battled pres­id­ent.

Still, U.S. cy­ber­se­cur­ity ex­perts said they don’t ex­pect the so-called Syr­i­an Elec­tron­ic Army to take steps as drastic as com­prom­ising U.S. nuc­le­ar fa­cil­it­ies or crip­pling the crit­ic­al in­fra­struc­ture of a ma­jor world power through a cy­ber at­tack — at least not in the near fu­ture, and not without help from oth­er coun­tries.

The Syr­i­an Elec­tron­ic Army is loy­al to As­sad, though U.S. ana­lysts say its spe­cif­ic ties to the re­gime are not clear. The group in re­cent months has tar­geted news and com­mu­nic­a­tions web­sites in and out of the United States, with sus­pec­ted ac­tions in­clud­ing dis­abling the New York Times’ page in Au­gust and post­ing pro-As­sad mes­sages on a U.S. Mar­ines Corps page in Septem­ber. It in­fam­ously caused U.S. stock mar­kets to dip in April after post­ing a fake news alert about a White House bomb­ing on the As­so­ci­ated Press’ Twit­ter page.

This past Sunday, Qatari of­fi­cials said they re­covered gov­ern­ment web­sites tar­geted by the Syr­i­an Elec­tron­ic Army, in­clud­ing the Qatari in­teri­or min­istry’s site, ac­cord­ing to Middle East­ern news re­ports.

“It’s pretty in­ter­est­ing that (the Syr­i­an Elec­tron­ic Army) went to Qatar,” said Chris­toph­er Ahl­berg, CEO and cofounder of Re­cor­ded Fu­ture in Cam­bridge, Mass., a com­pany that tracks com­puter in­filt­ra­tions around the world. The Syr­i­an Elec­tron­ic Army re­portedly said it tar­geted Qatar be­cause it sup­ports Syr­i­an rebels. In an in­ter­view with Glob­al Se­cur­ity News­wire, Ahl­berg also poin­ted to an­oth­er pos­sible mo­tiv­a­tion: “Maybe it’s be­cause the at­tract­ive tar­gets in the U.S. and the U.K. are now locked down now, so they have to go else­where.”

If that is the case, more coun­tries could be sub­ject to the Syr­i­an Elec­tron­ic Army’s tac­tics, which are de­scribed in re­cent re­ports by net­work-se­cur­ity com­pany Fire Eye, in­ter­net-con­tent-de­liv­ery firm Akamai and Wash­ing­ton think tank the Cen­ter for Stra­tegic and In­ter­na­tion­al Stud­ies. Those ac­tions in­clude web­site de­fa­cings, deni­al-of-ser­vice at­tacks, “phish­ing” cam­paigns to trick com­puter users to re­veal pass­words and sens­it­ive codes, and e-mail spam­ming of gov­ern­ments, me­dia out­lets and on­line ser­vices.

Pre­vi­ously, the Syr­i­an hack­ing group had been tied to some at­tacks of gov­ern­ment web­sites — in­clud­ing a re­portedly failed at­tempt to dis­rupt the wa­ter sup­ply in the Is­raeli city of Haifa and a po­ten­tially suc­cess­ful breach of the Saudi Ar­a­bi­an Min­istry of De­fense email sys­tem, both in May. However, the valid­ity of those re­ports has been ques­tioned, ac­cord­ing to U.S. ana­lysts. Akamai’s Oct. 16 re­port also says the Syr­i­an Elec­tron­ic Army “has been as­so­ci­ated with the post­ing of pro-Syr­i­an pro­pa­ganda” to the Face­book pages of the U.S. Em­bassy in Dam­as­cus, U.S. De­part­ment of State, U.S. De­part­ment of Treas­ury, the White House and Pres­id­ent Obama.

The U.S. Na­tion­al Se­cur­ity Agency is be­lieved to be in­vest­ig­at­ing the Syr­i­an Elec­tron­ic Army, by ac­cess­ing some mem­bers’ com­puters and net­works to un­der­stand if they have the cap­ab­il­ity to launch a lar­ger at­tack, ac­cord­ing to Mat­thew Rhoades, the dir­ect­or of the Cy­ber­space & Se­cur­ity Pro­gram at the Cen­ter for Na­tion­al Policy & Tru­man Na­tion­al Se­cur­ity Pro­ject in Wash­ing­ton. A worst-case scen­ario could be a cata­stroph­ic cy­ber at­tack on U.S. crit­ic­al in­fra­struc­ture, in­clud­ing nuc­le­ar re­act­ors.

Rhoades, though, in an in­ter­view with GSN said he doesn’t “know that there is a cap­ab­il­ity or an in­tent with­in these Syr­i­an groups as of today to pur­sue and suc­cess­fully com­plete one of those at­tacks.”

“As far as cap­ab­il­it­ies, they’re con­sidered to be on the lower end of the spec­trum,” he said. “They’re mo­tiv­ated by polit­ic­al reas­ons right now. So that’s why they go after me­dia out­lets. That’s why they go after some gov­ern­ment or­gan­iz­a­tions. That’s why they go after anti-As­sad groups. They do not ap­pre­ci­ate the cov­er­age … [of the] sort of pro-West, anti-As­sad news me­dia.”

Ahl­berg said the Syr­i­an Elec­tron­ic Army is “not the most soph­ist­ic­ated” group of hack­ers, when com­pared to their coun­ter­parts in Rus­sia, who have tar­geted for­eign banks, and in China, who have sought mil­it­ary secrets.

It is un­clear if the Syr­i­an Elec­tron­ic Army has con­nec­tions to more-ad­vanced hack­ing groups from oth­er na­tions that are crit­ic­al of U.S. policy, Rhoades said.

“Ir­an and Rus­sia would worry me the most, and for two sep­ar­ate reas­ons,” he said. “Rus­sia, be­cause they’re highly soph­ist­ic­ated, and so if there’s some sort of edu­ca­tion­al com­pon­ent between the two, that could greatly ex­pand Syr­i­an cap­ab­il­it­ies. … (And) If any­body was mo­tiv­ated to do something on the cy­ber-at­tack side of the scale, from a na­tion-state per­spect­ive, you would ima­gine it would be Ir­an.”

While U.S.-Ir­a­ni­an re­la­tions are im­prov­ing, Rhoades noted they still are tenu­ous.

Ken­neth Geers, a seni­or glob­al threat ana­lyst for Mil­pitas, Cal­if.-based Fir­eEye, said the United States “ab­so­lutely” should be con­cerned about Rus­si­an and Ir­a­ni­an hack­ers train­ing and aid­ing the Syr­i­an Elec­tron­ic Army.

“Cy­ber­space is a re­flec­tion of tra­di­tion­al so­cial, polit­ic­al, and mil­it­ary af­fairs,” he said in an emailed re­sponse to ques­tions. “Rus­sia and Ir­an are Syr­ia’s al­lies in tra­di­tion­al space, so they are Syr­ia’s al­lies in cy­ber­space.”

Geers, whose past gov­ern­ment roles in­clude stints at the Na­tion­al Se­cur­ity Agency and NATO, said he be­lieves two factors sug­gest the Syr­i­an Elec­tron­ic Army pos­sesses an “ad­vanced per­sist­ent threat,” which he defines as hav­ing the dir­ect or in­dir­ect sup­port of a na­tion state: “First, the dur­a­tion of SEA’s at­tacks: over two years; second, their grav­ity: with­in a week in Ju­ly 2013, SEA com­prom­ised in­ter­na­tion­al com­mu­nic­a­tions web­sites used by hun­dreds of mil­lions of users around the world,” he said.

A U.S. De­part­ment of De­fense spokes­man de­clined to talk spe­cific­ally about what the United States is do­ing to mon­it­or and de­fend against cy­ber at­tacks from Syr­ia.

Air Force Lt. Col. Dami­en Pick­art, though, in an emailed re­sponse to ques­tions noted: “We’ve seen a series of at­tacks claimed by the Syr­i­an Elec­tron­ic Army over the past sev­er­al years, so the re­cent at­tacks were not a new phe­nomen­on.”

He said the Pentagon “takes ser­i­ously its mis­sion to de­fend the na­tion from any group that at­tempts to use cy­ber­space to threaten U.S. se­cur­ity or na­tion­al in­terests.”

The U.S. gov­ern­ment routinely shares threat in­form­a­tion with the private sec­tor through the De­part­ment of Home­land Se­cur­ity in or­der to “mit­ig­ate much of the threat activ­ity we have seen re­cently,” the Pentagon spokes­man noted.

What We're Following See More »
NEXT THURSDAY
Trump Transition Team Meeting with Silicon Valley VIPs
8 minutes ago
THE DETAILS

Donald Trump's "transition team will meet next week with representatives of the tech industry, multiple sources confirmed, even as their candidate largely has been largely shunned by Silicon Valley. The meeting, scheduled for next Thursday at the offices of law and lobbying firm BakerHostetler, will include trade groups like the Information Technology Industry Council and the Internet Association that represent major Silicon Valley companies."

Source:
WHAT WILL PASS?
McConnell Doubts Criminal Justice Reform Can Pass This Year
14 minutes ago
THE LATEST
ALSO FIRED UNATTRACTIVE WAITRESSES
Trump Did Business with Cuba
55 minutes ago
THE LATEST

Today in bad news for Donald Trump:

  • Newsweek found that a company he controlled did business with Cuba under Fidel Castro "despite strict American trade bans that made such undertakings illegal, according to interviews with former Trump executives, internal company records and court filings." In 1998, he spent at least $68,000 there, which was funneled through a consluting company "to make it appear legal."
  • The Los Angeles Times reports that at a golf club he owns in California, Trump ordered that unattractive female staff be fired and replaced with prettier women.
POST-DEBATE SURVEYS
Clinton Holds Lead in Five Battlegrounds
1 hours ago
THE LATEST

In some of the first state-by-state surveys since Monday night's debate, Hillary Clinton has the edge in five battlegrounds, according to polls by Public Policy Polling. In four-way matchups, Clinton leads Donald Trump 46%-40% in Colorado, 45%-43% in Florida, 44%-42% in North Carolina, 45%-39% in Pennsylvania, and 46%-40% in Virginia. Gary Johnson doesn't top 7% in any state. Voters in all five states thought that Clinton decisively won the debate.

Source:
TIME TO SPLIT
House Passes CR, Sends Bill to President’s Desk
13 hours ago
THE LATEST
×