State-Sponsored Cyber Threats: Syria

As the Arab Spring reached Damascus in early 2011, a previously unknown group called the Syrian Electronic Army (SEA) emerged online. Their stated purpose was to counter the “fabrication of facts” surrounding the civil unrest and government crackdowns taking place throughout Syria. While the group claimed to be a team of young counter-revolutionaries with no connection to the Syrian government, the domain name for the SEA’s website was registered by the Syrian Computer Society—an organization once headed by Syrian President Bashar al-Assad.

Since 2011, the SEA has evolved from a small circle of pro-government vandals to a skilled, decentralized network of online warriors. While it remains uncertain whether the Syrian government officially employs the SEA’s operators, there is little doubt that the group operates with the permission, if not the direct support, of the Assad regime.

Capabilities

When the SEA began countering perceived anti-Assad messaging online, most attacks consisted of unsophisticated acts of Internet vandalism: website defacements, distributed denial of service (DDOS) attacks, and exposure of social media credentials through phishing and brute force attacks. Beginning in late 2013, the group’s techniques began to shift toward the use of advanced malware against the websites and online communications of individuals and organizations opposed to the Assad regime. Nevertheless, simple tactics remain a core component of the SEA’s repertoire.

Unlike the formal, government-run offensive cyber programs in China and North Korea, the SEA is a decentralized network of regime supporters operating both within and outside Syria, including Lebanon, Russia, and the United Arab Emirates (UAE).

Like its operational structure, the SEA’s support network is opaque and distributed. Reports have indicated that the group receives technical support from Russia and Iran, and is partially bankrolled by Assad’s cousin Rami Makhlouf.

Victims

The SEA targets organizations that are perceived as oppositional to the Assad regime. As a group born of an effort to counter online narratives critical of the Syrian government, the vast majority of attacks have been aimed at the websites and operations of Western news media and human rights organizations. Attacks against the former surged in the spring of 2013, when the SEA commandeered the social media websites of high-profile outlets like BBC, CBS, and NPR. In May 2013, the SEA sent shockwaves through Wall Street when it hacked the Associated Press’s Twitter account and falsely tweeted about President Obama being injured following explosions at the White House. While the market recovered quickly, the news managed to wipe out more than $136 billion of the S&P 500’s value.

Human rights groups supportive of the Syrian opposition have also encountered considerable resistance from the SEA. Human Rights Watch, the Syrian Observatory for Human Rights, and the Syrian Support Group—a now-defunct financier of Syrian rebel militias—have all been hacked for purposes of retribution or strategic advantage. Online communications platforms such as Skype and Viber have also fallen victim to SEA intrusions, which have led to the collection of valuable intelligence on armed rebel groups relying on such technology for coordinating operations.

Motivations

The SEA’s stated purpose and attack history suggest that they are primarily motivated by a desire to seek retribution against perceived anti-Assad messaging online. As a result, the group has directed most of its sabotage efforts at Western news agencies and non-governmental organizations (NGOs) that report on the Syrian crisis.

As their capabilities and resources have expanded over time, the group’s motivations have also broadened. In the last two years, the SEA has increasingly focused on countering rebel factions fighting the Assad regime through intelligence collection on the activities and capabilities of anti-government forces.

Outlook

Since its beginnings in early 2011, the SEA has refined its tactics and broadened its mission beyond information warfare to include military intelligence collection, a shift that will likely continue as long as the group remains well resourced. Unless the Syrian opposition groups they target can address weaknesses in their communications practices, the SEA will likely continue to be effective in thwarting their efforts.

Despite improvements in skill and resources, SEA hackers are unlikely to pose a direct threat to US industry or critical infrastructure. If the United States were to take a more active role in the Syrian conflict, SEA attacks against US government websites would likely increase. However, such attacks are unlikely to match the sophistication of Russian or Chinese cyber operations, and therefore fail to constitute a serious threat to US national security.

The decentralized nature of the SEA has helped insulate it from outside pressures, leaving them less susceptible to destabilizing attacks on the Syrian government by opposition fighters. This flexible organizational structure will continue to be an asset to the Assad regime, and a challenge to any actors seeking to undermine it.