Hacked off: What happened when the Syrian Electronic Army attempted a cyber attack on The Independent?

Last week The Independent was victim of a cyber-attack by the Syrian Electronic Army. Luckily, our defence was strong. But what did they want from us anyway?
  • @timwalker

Ever since the beginning of the long and bloody Syrian civil war, the weight of international opinion has tipped in favour of the moderate rebel forces. Yet the country’s embattled President, Bashar al-Assad, has nonetheless enjoyed several propaganda coups, thanks in large part to the counter-revolutionary hacktivist group known as the Syrian Electronic Army (SEA), which has made a habit of inflicting humiliating cyber defeats on his ideological rivals in the Western media. Last week, it was our turn.

A suspected SEA attempt to hack the accounts of journalists at The Independent in May proved unsuccessful, yet this newspaper was targeted again late last Friday when senior staff became aware of a so-called “spear-phishing” operation, attempting to harvest user information and so gain access to the newspaper’s website and/or its social networking accounts. It is thought the group intended to use the platform to publish pro-Assad propaganda.

Phishing is a crude technique whereby hackers pose as a trustworthy entity to obtain personal information, such as passwords or credit card details. Spear-phishing, marginally more sophisticated, is aimed at specific individuals or companies – newspapers, banks, universities – and uses information gleaned from the public domain against them. The attack typically begins with an email, apparently from someone within the company – and often someone in a position of authority.

In the case of The Independent, the hackers managed to resurrect the defunct email address of a former senior editorial figure, and used it to fire off emails to some 50 staff members, each containing a link to an apparently harmless and familiar site, such as the BBC, MSN or Unicef. The link, when clicked, invited them to give their log-in details. Once they had those, the hackers would likely have sent another set of emails from their victims’ accounts, working their way along the chain until they found somebody with access to the newspaper’s online presence: its website, its Twitter accounts, or its Facebook page. By the time the IT security team was alerted to the hack, a handful had already offered their details. Their accounts were quarantined and their passwords changed, and on Friday night an email was sent to all staff warning them to be vigilant. Luckily, it was repelled before it could go any further.

The origins and identities of the SEA remain disputed. Many believe it is a self-organising outfit similar to the hacking group Anonymous. In an email interview with The Independent in May, hacker Th3Pro, the head of the SEA’s Special Operations division, said the group began as a Facebook page.

“Within a few days more than 60,000 Syrians joined,” he wrote. “Facebook shut it down, and then a website for the group was launched in addition to accounts on all social media sites. Many people joined us, hundreds, thousands.”

Though they support the Assad government, the young Syrians involved are not under its command, he claimed. “Our mission was to defend our country against the media campaign, first in the Arab media, and lately the Western media. We don’t take money for our work, it’s our duty to defend our country.” Contacted again this week, Th3Pro denied involvement in the attack.

In 2011, President Assad himself praised the SEA, describing the group as a “virtual army in cyberspace”, and experts dispute the SEA’s claims to be independent of Assad’s regime. James Lewis, a cyber-security expert at the Centre for Strategic and International Studies in Washington DC, said: “It would be possible for amateur beginners to do everything the SEA has done....  Ask yourself: are there any anti-Assad groups in Syria who have been able to carry out this kind of thing? If the answer is no, it means the government is either consenting to or directing SEA activity.”

Some have speculated that the intensity of the SEA’s attacks on US media outlets is linked to President Obama’s pronouncements on Syria. Analysis by the web intelligence firm Recorded Future suggests a “remarkable correlation” between Obama’s statements on Syria and the SEA’s activities. In August, for instance, as the President publicly weighed military action against the Assad regime following an alleged chemical attack in Damascus, the SEA launched a hack of the New York Times, Huffington Post and Twitter.

The attacks are rudimentary compared to some other spear-phishing hacks, says Graham Cluley, a British computer security expert. “There have been targeted spear-phishing attacks against defence organisations such as Lockheed Martin or the Pentagon,” Cluley says. “We also see a lot of state-sponsored attacks. For instance, the Tibetan government in exile and other Chinese dissidents are regularly sent emails containing booby-trapped documents, which infect their computer and install malware to allow the hackers access to steal information. And it’s not just China, by any means – everybody’s at it.”