Threat Management

What the SEA stole from McCain’s office, and much more, compiled in report

The Syrian Electronic Army (SEA) has gained fame for carrying out sophisticated phishing attacks – notably against media groups – and posting its exploits on social media, but the band of pro-Assad hackers is more calculated and well-funded than it may seem, according to an IntelCrawler report.

In many ways the group's public persona serves as misdirection, Dan Clements, president of IntelCrawler, told SCMagazine.com on Thursday.

For instance, in February, the SEA posted on Twitter that it had “intercepted some emails from [Arizona Republican Senator John] McCain's office about U.S. plans in Ukraine.” There is a bit more to it that the SEA chose to omit, Clements said, asking if SCMagazine.com would exclude names.

As it turned out, an SEA member, who the report said is named Tiger, gained access to the email account of a former U.S. Department of Defense employee who is now operating as a pro rebel Syrian advocate. That person's account then had an email exchange with a senior Syrian research expert in McCain's office.

The SEA was able to grab more information from this breach than it let on, including travel plans for McCain's Syrian research expert to come to Syria, Clements said. A snippet of one email exchange included in the report reveals the subject, “Syrian Chemical weapons,” and speaks of a “defected General from the regime.”

“We're not [an intelligence agency], but whenever you have an email that's discussing travel plans to Syria, and it involves [an individual] at McCain's office, that's a fairly significant compromise,” Clements said.

And that is just a sliver of information included in the 94-page report released by IntelCrawler on Thursday, which serves in many ways as an SEA guidebook.

It profiles alleged group members, including the aforementioned Tiger, The Pro, SyRiAn_34G13, The Shadow, Soul, Vikt0r, Syrian Hawk, and Osmancode. 

The report chronicles most SEA attacks, beginning when the group first surfaced around 2011. This includes compromises of websites and accounts belonging to Viber, Time, The New York Times, and Vice.

The report additionally highlights some of the SEA tactics used in those attacks – most notably the use of spear phishing. One particularly creative spear phishing attack involved sneaking in fraudulent websites for the password authentication and SMS authentication pages related to Gmail's two-step authentication process, thus allowing the attacker to compromise the Google credentials.

“We wanted to pierce their veil of hacktivism,” Clements said. “They are a full-blown cyber espionage group. Well-funded. Really smart. There's no way to know how much content they've taken. We don't know if they're in the classified documents world. They are certainly the sensitive documents world.”

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.