Experts Assess Syrian Hackers’ Capabilities

Emelie Rutherford, Global Security Newswire
See more stories about...
Emelie Rutherford, Global Security Newswire
Oct. 23, 2013, 11:02 a.m.

WASH­ING­TON — A Syr­i­an hack­ing group’s re­por­ted de­fa­cing of Qatari gov­ern­ment webpages over the week­end could sig­nal a new dir­ec­tion for the or­gan­iz­a­tion that has in­filt­rated West­ern news web­sites and is loy­al to Bashar As­sad, the civil-war-torn coun­try’s em­battled pres­id­ent.

Still, U.S. cy­ber­se­cur­ity ex­perts said they don’t ex­pect the so-called Syr­i­an Elec­tron­ic Army to take steps as drastic as com­prom­ising U.S. nuc­le­ar fa­cil­it­ies or crip­pling the crit­ic­al in­fra­struc­ture of a ma­jor world power through a cy­ber at­tack — at least not in the near fu­ture, and not without help from oth­er coun­tries.

The Syr­i­an Elec­tron­ic Army is loy­al to As­sad, though U.S. ana­lysts say its spe­cif­ic ties to the re­gime are not clear. The group in re­cent months has tar­geted news and com­mu­nic­a­tions web­sites in and out of the United States, with sus­pec­ted ac­tions in­clud­ing dis­abling the New York Times’ page in Au­gust and post­ing pro-As­sad mes­sages on a U.S. Mar­ines Corps page in Septem­ber. It in­fam­ously caused U.S. stock mar­kets to dip in April after post­ing a fake news alert about a White House bomb­ing on the As­so­ci­ated Press’ Twit­ter page.

This past Sunday, Qatari of­fi­cials said they re­covered gov­ern­ment web­sites tar­geted by the Syr­i­an Elec­tron­ic Army, in­clud­ing the Qatari in­teri­or min­istry’s site, ac­cord­ing to Middle East­ern news re­ports.

“It’s pretty in­ter­est­ing that (the Syr­i­an Elec­tron­ic Army) went to Qatar,” said Chris­toph­er Ahl­berg, CEO and cofounder of Re­cor­ded Fu­ture in Cam­bridge, Mass., a com­pany that tracks com­puter in­filt­ra­tions around the world. The Syr­i­an Elec­tron­ic Army re­portedly said it tar­geted Qatar be­cause it sup­ports Syr­i­an rebels. In an in­ter­view with Glob­al Se­cur­ity News­wire, Ahl­berg also poin­ted to an­oth­er pos­sible mo­tiv­a­tion: “Maybe it’s be­cause the at­tract­ive tar­gets in the U.S. and the U.K. are now locked down now, so they have to go else­where.”

If that is the case, more coun­tries could be sub­ject to the Syr­i­an Elec­tron­ic Army’s tac­tics, which are de­scribed in re­cent re­ports by net­work-se­cur­ity com­pany Fire Eye, in­ter­net-con­tent-de­liv­ery firm Akamai and Wash­ing­ton think tank the Cen­ter for Stra­tegic and In­ter­na­tion­al Stud­ies. Those ac­tions in­clude web­site de­fa­cings, deni­al-of-ser­vice at­tacks, “phish­ing” cam­paigns to trick com­puter users to re­veal pass­words and sens­it­ive codes, and e-mail spam­ming of gov­ern­ments, me­dia out­lets and on­line ser­vices.

Pre­vi­ously, the Syr­i­an hack­ing group had been tied to some at­tacks of gov­ern­ment web­sites — in­clud­ing a re­portedly failed at­tempt to dis­rupt the wa­ter sup­ply in the Is­raeli city of Haifa and a po­ten­tially suc­cess­ful breach of the Saudi Ar­a­bi­an Min­istry of De­fense email sys­tem, both in May. However, the valid­ity of those re­ports has been ques­tioned, ac­cord­ing to U.S. ana­lysts. Akamai’s Oct. 16 re­port also says the Syr­i­an Elec­tron­ic Army “has been as­so­ci­ated with the post­ing of pro-Syr­i­an pro­pa­ganda” to the Face­book pages of the U.S. Em­bassy in Dam­as­cus, U.S. De­part­ment of State, U.S. De­part­ment of Treas­ury, the White House and Pres­id­ent Obama.

The U.S. Na­tion­al Se­cur­ity Agency is be­lieved to be in­vest­ig­at­ing the Syr­i­an Elec­tron­ic Army, by ac­cess­ing some mem­bers’ com­puters and net­works to un­der­stand if they have the cap­ab­il­ity to launch a lar­ger at­tack, ac­cord­ing to Mat­thew Rhoades, the dir­ect­or of the Cy­ber­space & Se­cur­ity Pro­gram at the Cen­ter for Na­tion­al Policy & Tru­man Na­tion­al Se­cur­ity Pro­ject in Wash­ing­ton. A worst-case scen­ario could be a cata­stroph­ic cy­ber at­tack on U.S. crit­ic­al in­fra­struc­ture, in­clud­ing nuc­le­ar re­act­ors.

Rhoades, though, in an in­ter­view with GSN said he doesn’t “know that there is a cap­ab­il­ity or an in­tent with­in these Syr­i­an groups as of today to pur­sue and suc­cess­fully com­plete one of those at­tacks.”

“As far as cap­ab­il­it­ies, they’re con­sidered to be on the lower end of the spec­trum,” he said. “They’re mo­tiv­ated by polit­ic­al reas­ons right now. So that’s why they go after me­dia out­lets. That’s why they go after some gov­ern­ment or­gan­iz­a­tions. That’s why they go after anti-As­sad groups. They do not ap­pre­ci­ate the cov­er­age … [of the] sort of pro-West, anti-As­sad news me­dia.”

Ahl­berg said the Syr­i­an Elec­tron­ic Army is “not the most soph­ist­ic­ated” group of hack­ers, when com­pared to their coun­ter­parts in Rus­sia, who have tar­geted for­eign banks, and in China, who have sought mil­it­ary secrets.

It is un­clear if the Syr­i­an Elec­tron­ic Army has con­nec­tions to more-ad­vanced hack­ing groups from oth­er na­tions that are crit­ic­al of U.S. policy, Rhoades said.

“Ir­an and Rus­sia would worry me the most, and for two sep­ar­ate reas­ons,” he said. “Rus­sia, be­cause they’re highly soph­ist­ic­ated, and so if there’s some sort of edu­ca­tion­al com­pon­ent between the two, that could greatly ex­pand Syr­i­an cap­ab­il­it­ies. … (And) If any­body was mo­tiv­ated to do something on the cy­ber-at­tack side of the scale, from a na­tion-state per­spect­ive, you would ima­gine it would be Ir­an.”

While U.S.-Ir­a­ni­an re­la­tions are im­prov­ing, Rhoades noted they still are tenu­ous.

Ken­neth Geers, a seni­or glob­al threat ana­lyst for Mil­pitas, Cal­if.-based Fir­eEye, said the United States “ab­so­lutely” should be con­cerned about Rus­si­an and Ir­a­ni­an hack­ers train­ing and aid­ing the Syr­i­an Elec­tron­ic Army.

“Cy­ber­space is a re­flec­tion of tra­di­tion­al so­cial, polit­ic­al, and mil­it­ary af­fairs,” he said in an emailed re­sponse to ques­tions. “Rus­sia and Ir­an are Syr­ia’s al­lies in tra­di­tion­al space, so they are Syr­ia’s al­lies in cy­ber­space.”

Geers, whose past gov­ern­ment roles in­clude stints at the Na­tion­al Se­cur­ity Agency and NATO, said he be­lieves two factors sug­gest the Syr­i­an Elec­tron­ic Army pos­sesses an “ad­vanced per­sist­ent threat,” which he defines as hav­ing the dir­ect or in­dir­ect sup­port of a na­tion state: “First, the dur­a­tion of SEA’s at­tacks: over two years; second, their grav­ity: with­in a week in Ju­ly 2013, SEA com­prom­ised in­ter­na­tion­al com­mu­nic­a­tions web­sites used by hun­dreds of mil­lions of users around the world,” he said.

A U.S. De­part­ment of De­fense spokes­man de­clined to talk spe­cific­ally about what the United States is do­ing to mon­it­or and de­fend against cy­ber at­tacks from Syr­ia.

Air Force Lt. Col. Dami­en Pick­art, though, in an emailed re­sponse to ques­tions noted: “We’ve seen a series of at­tacks claimed by the Syr­i­an Elec­tron­ic Army over the past sev­er­al years, so the re­cent at­tacks were not a new phe­nomen­on.”

He said the Pentagon “takes ser­i­ously its mis­sion to de­fend the na­tion from any group that at­tempts to use cy­ber­space to threaten U.S. se­cur­ity or na­tion­al in­terests.”

The U.S. gov­ern­ment routinely shares threat in­form­a­tion with the private sec­tor through the De­part­ment of Home­land Se­cur­ity in or­der to “mit­ig­ate much of the threat activ­ity we have seen re­cently,” the Pentagon spokes­man noted.

What We're Following See More »
WARRING FACTIONS?
Freedom Caucus Members May Bolt the RSC
44 minutes ago
WHY WE CARE

The Republican Study Committee may lose several members of the House Freedom Caucus next year, "potentially creating a split between two influential groups of House conservatives." The Freedom Caucus was founded at the inception of the current Congress by members who felt that the conservative RSC had gotten too cozy with leadership, "and its roughly 40 members have long clashed with the RSC over what tactics to use when pushing for conservative legislation." As many as 20 members may not join the RSC for the new Congress next year.

Source:
SOME THERAPIES ALREADY IN TRIALS
FDA Approves Emergency Zika Test
2 hours ago
THE LATEST

"The U.S. Food and Drug Administration on Monday issued emergency authorization for a Zika diagnostics test from Swiss drugmaker Roche, skirting normal approval channels as the regulator moves to fight the disease's spread." Meanwhile, the Wall Street Journal reports that a new study in Nature identifies "about a dozen substances" that could "suppress the pathogen's replication." Some of them are already in clinical trials.

Source:
MONEY HAS BEEN PAID BACK
Medicare Advantage Plans Overcharged Government
3 hours ago
THE DETAILS

According to 37 newly released audits, "some private Medicare plans overcharged the government for the majority of elderly patients they treated." A number of Medicare Advantage plans overstated "the severity of medical conditions like diabetes and depression." The money has since been paid back, though some plans are appealing the federal audits.

Source:
DESPITE CONSERVATIVE OBJECTIONS
Omnibus Spending Bill Likely Getting a Lame-Duck Vote
3 hours ago
WHY WE CARE

"GOP leaders and House Democrats are already laying the groundwork for a short-term continuing resolution" on the budget this fall "that will set up a vote on a catch-all spending bill right before the holidays." As usual, however, the House Freedom Caucus may throw a wrench in Speaker Paul Ryan's gears. The conservative bloc doesn't appear willing to accept any CR that doesn't fund the government into 2017.

Source:
FBI WARNS STATES
Foreign Agents Have Hacked State Voting Databases
4 hours ago
THE DETAILS

"The FBI has uncovered evidence that foreign hackers penetrated two state election databases in recent weeks, prompting the bureau to warn election officials across the country to take new steps to enhance the security of their computer systems." Homeland Security Secretary Jeh Johnson earlier this month conferred with state election officials, offering his department's assistance in scanning for vulnerabilities."

Source:
×