Assessing the Capabilities of the Syrian Electronic Army

A Syrian hacking group's reported defacing of Qatari government webpages over the weekend could signal a new direction for the organization that has infiltrated Western news websites and is loyal to Bashar Assad, the civil-war-torn country's embattled president.

Still, U.S. cybersecurity experts said they don't expect the so-called Syrian Electronic Army to take steps as drastic as compromising U.S. nuclear facilities or crippling the critical infrastructure of a major world power through a cyber attack -- at least not in the near future, and not without help from other countries.

The Syrian Electronic Army is loyal to Assad, though U.S. analysts say its specific ties to the regime are not clear. The group in recent months has targeted news and communications websites in and out of the United States, with suspected actions including disabling the New York Times' page in August and posting pro-Assad messages on a U.S. Marines Corps page in September. It infamously caused U.S. stock markets to dip in April after posting a fake news alert about a White House bombing on the Associated Press' Twitter page.

This past Sunday, Qatari officials said they recovered government websites targeted by the Syrian Electronic Army, including the Qatari interior ministry's site, according to Middle Eastern newsreports.

"It's pretty interesting that (the Syrian Electronic Army) went to Qatar," said Christopher Ahlberg, CEO and cofounder of Recorded Future in Cambridge, Mass., a company that tracks computer infiltrations around the world. The Syrian Electronic Army reportedly said it targeted Qatar because it supports Syrian rebels. In an interview with Global Security Newswire, Ahlberg also pointed to another possible motivation: "Maybe it's because the attractive targets in the U.S. and the U.K. are now locked down now, so they have to go elsewhere."

If that is the case, more countries could be subject to the Syrian Electronic Army's tactics, which are described in recent reports by network-security company Fire Eye, internet-content-delivery firm Akamai and Washington think tank the Center for Strategic and International Studies. Those actions include website defacings, denial-of-service attacks, "phishing" campaigns to trick computer users to reveal passwords and sensitive codes, and e-mail spamming of governments, media outlets and online services.

Previously, the Syrian hacking group had been tied to some attacks of government websites -- including a reportedly failed attempt to disrupt the water supply in the Israeli city of Haifa and a potentially successful breach of the Saudi Arabian Ministry of Defense email system, both in May. However, the validity of those reports has been questioned, according to U.S. analysts. Akamai's Oct. 16 report also says the Syrian Electronic Army "has been associated with the posting of pro-Syrian propaganda" to the Facebook pages of the U.S. Embassy in Damascus, U.S. Department of State, U.S. Department of Treasury, the White House and President Obama.

The U.S. National Security Agency is believed to be investigating the Syrian Electronic Army, by accessing some members' computers and networks to understand if they have the capability to launch a larger attack, according to Matthew Rhoades, the director of the Cyberspace & Security Program at the Center for National Policy & Truman National Security Project in Washington. A worst-case scenario could be a catastrophic cyber attack on U.S. critical infrastructure, including nuclear reactors.

Rhoades, though, in an interview with GSN said he doesn't "know that there is a capability or an intent within these Syrian groups as of today to pursue and successfully complete one of those attacks."

"As far as capabilities, they're considered to be on the lower end of the spectrum," he said. "They're motivated by political reasons right now. So that's why they go after media outlets. That's why they go after some government organizations. That's why they go after anti-Assad groups. They do not appreciate the coverage … [of the] sort of pro-West, anti-Assad news media."

Ahlberg said the Syrian Electronic Army is "not the most sophisticated" group of hackers, when compared to their counterparts in Russia, who have targeted foreign banks, and in China, who have sought military secrets.

It is unclear if the Syrian Electronic Army has connections to more-advanced hacking groups from other nations that are critical of U.S. policy, Rhoades said.

"Iran and Russia would worry me the most, and for two separate reasons," he said. "Russia, because they're highly sophisticated, and so if there's some sort of educational component between the two, that could greatly expand Syrian capabilities. … (And) If anybody was motivated to do something on the cyber-attack side of the scale, from a nation-state perspective, you would imagine it would be Iran."

While U.S.-Iranian relations are improving, Rhoades noted they still are tenuous.

Kenneth Geers, a senior global threat analyst for Milpitas, Calif.-based FireEye, said the United States "absolutely" should be concerned about Russian and Iranian hackers training and aiding the Syrian Electronic Army.

"Cyberspace is a reflection of traditional social, political, and military affairs," he said in an emailed response to questions. "Russia and Iran are Syria’s allies in traditional space, so they are Syria’s allies in cyberspace."

Geers, whose past government roles include stints at the National Security Agency and NATO, said he believes two factors suggest the Syrian Electronic Army possesses an "advanced persistent threat," which he defines as having the direct or indirect support of a nation state: "First, the duration of SEA's attacks: over two years; second, their gravity: within a week in July 2013, SEA compromised international communications websites used by hundreds of millions of users around the world," he said.

A U.S. Department of Defense spokesman declined to talk specifically about what the United States is doing to monitor and defend against cyber attacks from Syria.

Air Force Lt. Col. Damien Pickart, though, in an emailed response to questions noted: "We've seen a series of attacks claimed by the Syrian Electronic Army over the past several years, so the recent attacks were not a new phenomenon."

He said the Pentagon "takes seriously its mission to defend the nation from any group that attempts to use cyberspace to threaten U.S. security or national interests."

The U.S. government routinely shares threat information with the private sector through the Department of Homeland Security in order to "mitigate much of the threat activity we have seen recently," the Pentagon spokesman noted.