top of page

Syrian Electronic Army (SEA)


Overview


The Syrian Electronic Army (SEA) was a hacker group that claimed to support the Syrian President, Bashar al-Assad, and aims to counteract what it sees as the deluge of “fabricated news” perpetuated by both the Western and Arab media. They carried out various hacking operations, including sending out false Tweets from large news organizations such as the Associated Press (AP), and operating via Facebook and Twitter (now X) to carry out denial of service attacks on individual, group and organization websites that they believed were undermining the legitimacy of Assad’s government. Some of the group’s earliest targets were  US President Barack Obama and former French President Nicolas Sarkozy. The group first emerged in 2011, and gradually rose to prominence due to the high profile of many of the people and organizations that they targeted. There have been various rumors over the years that the SEA is directly linked to the Syrian government, taking orders and funding from them; yet, this has still not been proven, over 10 years after their founding. The now defunct website of the SEA described the hackers as “a group of enthusiastic Syrian youths who could not stay passive towards the massive distortion of facts about the recent uprising in Syria”. They, contrastingly, described the pro-opposition demonstrators in Syria at the time as using Facebook to “spread their destructive ideas… urging demonstrators to terrorize the civilians who refuse to join their demonstrations and attack public facilities”. (1)


The backdrop for the emergence of the SEA, is that of the Syrian Revolution uprisings in 2011: a series of mass protests against the Assad regime, which was subsequently followed by harsh repercussions from his government, the Syrian Arab Republic. The Qatar government was a prominent supporter and funder of opposition to Assad’s regime from the start of the Revolution, and they were therefore a key target for the SEA, along with the Qatari-backed al-Jazeera TV and the Qatar Foundation. (1) There have been intimations that the SEA has links to the Iranian and Lebanese governments, Hezbollah, and of course, the Syrian administration. (2) Yet, an analysis by the open source intelligence company, Recorded Future, did not find any links between SEA and Iranian government cyber attack patterns, so there is skepticism about this link. (3) In 2016, the US publicly named and charged three men who it believed were responsible for conducting SEA hacks under the banner of the SEA; the men were also suspected for extorting money in connection with the hacking group. (4) As of the time of writing, two of the men have not been caught and convicted, as at the time their charges were announced, they were believed to be in Syria; the US offered a $100,000 reward for information leading to their arrests. 


History & Origins


The SEA was founded during the uprisings of the 2011 Syrian Revolution, as a reaction to the protesters opposing the Assad regime; it was founded to maintain positivity around Assad’s leadership and denounce the actions of the protesting masses, which it saw as destructive and unruly. After they started being active in 2011, the group increased both the volume and the profile of their attacks over time, targeting everyone from the AP to Human Rights Watch, taking down what they saw as biased and ignorant coverage of the Syrian unrest; for instance, this included taking down an opinion poll on the website of British newspaper, The Telegraph, stating on their Twitter (now X) page, that Syria’s fate was not up to the Western media. After accomplishing a hack, the group posted details of it on their website, in both English and Arabic; these attacks were often social media takeovers achieved by using phishing tactics. The hackers, once they gained access to large outlets’ social media accounts, could then take down what they believed to be fabricated or inaccurate news, and post content that was positive about the Syrian government. 


Some of the SEA’s victims include: Harvard University, Microsoft, Washington Post, New York Post, Reuters, Human Rights Watch, National Public Radio (NPR), and CNN. By 2013, the group was also attacking CBS’s 60 Minutes Twitter account to post that “professionals under US regime protection” were responsible for the Boston Marathon bombing. (1) They also hacked various BBC Twitter accounts, to post surreal statements like “chaotic weather forecast for Lebanon as the government decides to distance itself from the Milky Way” and “Saudi weather station down due to head-on-collision with camel”. Their attacks varied from the ironic, to the straightforwardly political, and were all aimed at furthering their overriding political aim of bolstering the Assad government. The SEA faded from activity partly due to three of its members being charged with hacking and extortion charges by the US government; one was arrested in Germany, and rewards were offered for information leading to the arrest of the other two, who remain at large, and were presumed to be in Syria when America announced their charges. (4) 


In the announcement from the US Department of Justice, it is stated that as well as having political aims, members of the group also used the hacks to extort money for personal gain, with Assistant Attorney General John P. Carlin saying: “While some of the activity sought to harm the economic and national security of the United States in the name of Syria, these detailed allegations reveal that the members also used extortion to try to line their own pockets at the expense of law-abiding people all over the world.  The allegations in the complaint demonstrate that the line between ordinary criminal hackers and potential national security threats is increasingly blurry.” (5) The statement also says: ‘Ahmad Umar Agha, 22, known online as “The Pro,” and Firas Dardar, 27, known online as “The Shadow,” were charged with a criminal conspiracy relating to: engaging in a hoax regarding a terrorist attack; attempting to cause mutiny of the U.S. armed forces; illicit possession of authentication features; access device fraud; unauthorized access to, and damage of, computers; and unlawful access to stored communications.’ (6) According to the Center for Security Studies (CSS) in Zurich, the SEA likely disbanded in 2016, after the arrest and extradition of one of its members, Peter Romar, to the US and his subsequent conviction, after pleading guilty to all charges. However, it is still unclear how many members the hacking collective had, and what the nature of its links to Assad’s administration might be. (7)


Ideology & Goals


The SEA, during their short-lived active years, made their political leanings very clear: they wished for the Assad regime and the Syrian Arab Republic to be maintained, and were not supportive of the opposition protesters, who they saw as destroying an ordered society with a strong leader. The ideological commitment of the SEA is, of course, under some scrutiny due to them also using the hacks to extort money, however, they did appear to be committedly aligned with the Assad government, which they portrayed as embattled and misrepresented in the media across the world. They targeted a lot of news organizations, as well as the US and Qatari governments. When announcing the terror charges against three members of the SEA, the US government remarked that, in their view, ideology was not the only factor behind their actions, but that they were also attempting to use hacking actions for profit, such as by gaining access to the websites of online businesses in the US, and using threats of selling stolen data, deleting data, or damaging computers, to extort money from the victim. However, while there may have also been a profit motive behind the ideology of the SEA, it is clear that they were also the most notable cyber-actor throughout the 2011 Syrian civil war, and had a decided alignment with the Assad regime. This is shown by a 2011 TV address by Assad, in which he praises the work of the SEA; despite the group’s clarification after this speech (via its website) that they were not tied to the Syrian government, they clearly received at least tacit support from the administration.


The SEA’s goals, apart from arguably monetary gain, were always centered on correcting what they saw as a biased and inaccurate media landscape around the Syrian civil war; they thought that the Assad regime was being misrepresented, and that both Western and Arab media coverage was too biased towards the opposition protesters and political forces. While the question of whether the SEA was actually instituted by the Syrian government was never answered, there is an argument to say that it became the administration’s de facto cyberforce, due to its very public and frequent attacks, and the reliability with which it made sure to claim responsibility for any actions it was involved in. 


Approach to Resistance


The toolkit of the SEA is that of a typical hacktivist: they focused on phishing techniques to obtain passwords, and once they gained access to social media accounts of news organizations or governments, they could gain control of the media narratives they sought to change by posting their own content or taking down posts that they disliked. When conducting extortion, they used typical techniques of leveraging data and the possibility of damage to influence victims. However, throughout the unrest in Syria that began in 2011, the SEA showed improvement in their methods, and it has been suggested by some that this indicates the involvement of additional support from a government, whether that be the government of Syria, Iran, or Russia, all of whom were supportive of Assad at the time. In 2013, further suspicion was sparked about the involvement of Russia in the SEA after the US-based internet domain name registrar Network Solutions LLC seized hundreds of Syrian domain names from the group, and they responded by registering their website in Russia to continue being active. (8)


The lack of clarity around the SEA’s possible ties to the Syrian government result in a subsequent lack of clarity about its structure: if the group had governmental backing, then it would have possessed a more hierarchical structure that hacktivist groups typically exhibit, however, if the support of the Syrian regime was more distant, the SEA may have had a more typical decentralized structure. The SEA portrayed itself as a group of young, patriotic hackers rather than a governmental cyber security project, and it is thought that they attracted many young, patriotic hackers who wanted to be involved in the conflict, but did not feel confident being publicly associated with the Syrian government. The group’s hacking actions ended in 2015, and it was then that they appear to have switched to cybercrime, whether due to necessity or fading of ideological fervor for the Assad regime, it is unclear. It was after this shift, in 2016, that the US Federal Bureau of Investigation (FBI) made known their terror and extortion charges against three members of the group, and later arrested a member in Germany. The methods of the SEA, while conventional hacktivist tactics, remain interesting for the fact that this group is the largest cyber-force to have become active at the time, and it demonstrated a new use of cyber attacks within a conflict scenario.


Relations & Alliances 


As well as the SEA’s rumored links to the Syrian government, they also had some adverse relations with the hacking group Anonymous, who exposed five SEA alleged members in a hacktivist operation against the Syrian government, revealing that one of them was operating from Romania and one from Russia. The SEA was, furthermore, part of a wider context throughout the 2011 Syrian civil war, of cyber-actors becoming embroiled in the conflict, and during 2011, the group actually created a Facebook page entitled the Syrian Hackers School, where people could download and use a tool created for launching DDoS attacks against BBC News, Al Jazeera, OrientTV and Al-Arabyia TV. Other pro-government cyber-actors in this conflict included the Syrian Malware Team (SMT) and the Electronic National Defence Forces (ENDF), as well as some groups working from outside Syria. The SMT was very possibly an offshoot of the SEA, or at least the group appears to have contained members that were also linked to the SEA. The SMT used RAT and was active from 2011 to 2014. The ENDF was not linked to the SEA, but is instead thought to have been the cyber-actor arm of the Syrian National Defence Forces, a pro-government militia that operated throughout Syrian territory. One of their tactics was to lure victims on Facebook into providing their social media information, so that they could access their accounts and post pro-government messages. As well as there being an extensive landscape of hacking groups dedicated to pro-Assad operations, there are also plenty that aligned with the various opposition forces in this conflict, such as the cyber operations of the Free Syrian Army, as well as the Hackers of the Syrian Revolution, the Cyber Caliphate, and the cyber-branches of Jabhat al-Nusra and Ahrar al-Sham. 



Works Cited


(1) - Fowler, Sarah. ‘Who is the Syrian Electronic Army?’ BBC. 25 April 2013. Accessed 21 June 2024. https://www.bbc.co.uk/news/world-middle-east-22287326 


(2) - Robertson, Jordan. ‘Three Things You Should Know About the Syrian Electronic Army’. Bloomberg. 24 March 2014. Accessed 21 June 2024. https://www.bloomberg.com/news/articles/2014-03-24/three-things-you-should-know-about-the-syrian-electronic-army 


(3) Rachael KingReporter. ‘Data Shows No Link Between Syrian Electronic Army and Iran.’ Wall Street Journal. 5 September 2013. Accessed 21 June 2024. https://www.wsj.com/articles/BL-CIOB-2730 


(4) ‘Syrian Electronic Army hacker suspects charged.’ BBC. 23 March 2016. Accessed 21 June 2024. https://www.bbc.co.uk/news/technology-35881321 


(5) ‘Computer Hacking Conspiracy Charges Unsealed Against Members of Syrian Electronic Army’. US Department of Justice. 22 March 2016. Accessed 21 June 2024. https://www.justice.gov/opa/pr/computer-hacking-conspiracy-charges-unsealed-against-members-syrian-electronic-army 


(6) ‘Computer Hacking Conspiracy Charges Unsealed Against Members of Syrian Electronic Army’. Office of Public Affairs, US Department of Justice. 22 March 2016. Accessed 22 June 2024. https://www.justice.gov/opa/pr/computer-hacking-conspiracy-charges-unsealed-against-members-syrian-electronic-army 


(7) ‘Guilty plea for Syrian Electronic Army accomplice’. BBC. 30 September 20216. Accessed 21 June 2024. https://www.bbc.co.uk/news/technology-37517891 


(8) ‘Hotspot Analysis, The use of cybertools in an internationalized civil war context: Cyber activities in the Syrian conflict’. Risk and Resilience Team, Center for Security Studies (CSS), ETH Zürich. October 2017. Accessed 21 June 2024. https://css.ethz.ch/content/dam/ethz/special-interest/gess/cis/center-for-securities-studies/pdfs/Cyber-Reports-2017-05.pdf 



Additional Resources





Comments


bottom of page