Opinion by Ira Winkler

Ira Winkler: My run-in with the Syrian Electronic Army

The hacker group dedicated to supporting Syria's dictator wasted an attack vector on trying to embarrass the writer. Will the SEA's handlers in the Syrian intelligence services approve of such immaturity?

The Syrian Electronic Army may have jumped the shark.

Last month, the SEA, a hacker group whose stated purpose is to support the Syrian government of Bashir al-Assad, hacked the RSA Conference website. The hack was done to express its dislike for me, which stems from a presentation that I gave at the 2014 RSA Conference that detailed the SEA's tactics, named names and disclosed methods to prevent its attacks.

I have investigated that hack and subsequent ones on The Wall Street Journal's Twitter accounts and BuzzFeed in the U.K., both meant to denigrate and embarrass me.

I'll get to the findings of those investigations, but first let me tell you how I became aware of the situation.

On the evening of Saturday, April 26, a tweet was directed at me from the SEA indicating that there was a message awaiting me at the RSA Conference site. I know better than to trust any links that come from the SEA, so I opened up a browser and typed in the RSA Conference URL. The normal site came up; no message for me from the SEA was visible.

The SEA tweeted more messages, but I ignored them. But when a friend told me the SEA wasn't playing a practical joke, I took out my safe computer and followed the tweeted link. Now I could see a graphic with a taunt from the SEA. My thought was that the RSA Conference might have been momentarily hacked and that this was a screen capture.

Being personally involved, I wanted to understand what had happened. I contacted some friends at the RSA Conference team, as well as some executives from RSA itself. The executives put me in touch with the security team at RSA, who told me that a website associated with Lucky Orange, an analytics software package used by the RSA Conference, had been redirected and returned JavaScript code that displayed the taunt.

That explained why I didn't see the taunt when I first went to the conference website; I don't allow JavaScript code to run on my Web browser. But the linked file was just a direct link to the graphic.

Around this time, someone on Facebook told me he had seen the taunting image. I didn't give that too much thought. The SEA's dirty work was out there on the RSA Conference site, and people inevitably were going to see it. But later I learned that this friend didn't see the image on the RSA Conference website. It was on another website entirely. If I had noticed that fact at that time, I would have found it very interesting. But as it was, I dismissed this bit of news as more of the same.

Nonetheless, I was curious about how the SEA had been able to redirect the Lucky Orange website. On Sunday morning, I was able to track down the CEO and called him at his home. We had a good laugh about the issue, and I learned that the SEA had redirected the domain through Lucky Orange's DNS provider, probably after compromising the log-on credentials of a company executive. The CEO was unwilling to tell me any details of who was hacked at the provider, and he didn't know the particulars about the phishing messages used to acquire the log-on credentials.

But he did tell me that the compromised server was used for multiple Internet sites. That was why my Facebook friend saw the image on a different site. The Lucky Orange CEO also mentioned that the SEA could have redirected another website, which would have given it access to exponentially more users, but totally missed it.

Next, I tried to contact the DNS hosting company through its technical support line, but there were no security team members I could talk to on the weekend. But with the help of Lucky Orange's CEO and friends in the DNS hosting company's local region, I was able to get in touch with the DNS hosting company's CEO. We had an interesting conversation.

He told me that in the wake of the attack, his team had watched my RSA Conference presentation. Around minute 16, he said, I described the attack that the DNS hosting company had experienced exactly. Specifically, a phishing email was sent, seemingly from the CEO, that had a link to what was supposed to be a BBC news story. It was sent to many current and former employees at the company. It appears the SEA scoured social networks to try to identify people who might have accounts, and then guessed the default email address format to target those people.

Anyone who clicked on the link to the supposed news would be presented with an Outlook log-on screen; the SEA, of course, would capture any credentials typed in. An account executive at the hosting company fell victim to the link. Using that person's credentials, the SEA was able to log on to the customer control system and reset the Lucky Orange password. The SEA then logged in to the system as Lucky Orange. The domain in question, livestatserver.com, was locked. However, the full domain of the JavaScript program location was w1.livestatserver.com, and the SEA was able to redirect the "w1" subdomain.

The SEA also changed the log-on credentials of a television station, but never had the opportunity to do anything with it.

Rounds 2 and 3

A couple of days later, the SEA was able to gain access to four of The Wall Street Journal's Twitter accounts, and again squandered an incredible opportunity for exposure by using it to call me a cockroach. This hack got the attention of CNN, which referred to me as "the go-to-guy when companies get hacked by the Syrian Electronic Army."

A couple of days after that, the SEA gained access to the BuzzFeed UK Twitter account, all to the same purpose. Just as an afterthought, the SEA tweeted a warning to BuzzFeed to stop writing about Syria.

As with just about all other SEA attacks, the attacks on both the Journal and BuzzFeed were accomplished by obtaining log-on credentials through spearphishing, and then reusing the passwords on TweetDeck accounts.

What I Learned

Some of what I discovered during the investigation was surprising, and some was not. For me, the most surprising thing was that the SEA would hack a notable website and compromise some widely followed Twitter accounts, only to waste them on me. These people purport to be servants of the genocidal dictator of Syria and came together to support him, but they wasted their hack on what amounted to cyberbullying.

This is not behavior that the SEA's Syrian intelligence handlers would condone. The SEA wasted an opportunity to promote its message, while divulging previously unknown attack vectors. A vulnerability on the RSA Conference site with the ability to run JavaScript could have been held on to until right before the conference and then exploited in a way that would gather credentials and information from security experts around the world. This could have become one of the most notorious watering-hole attacks of all time. But instead the SEA decided to get back at me by hacking the website during a slow period for the conference, on a Saturday night nonetheless.

I don't think that sort of immaturity will go over well with the SEA's Syrian intelligence bosses. And that could have implications for the influence of the group in the future. In my presentation, I named Hatem Deeb and Mohammed Osman as members of the SEA. Both could be vulnerable, since they are reportedly located outside of Syria. The core members of the SEA, known as the Pro and the Shadow, are based in Syria and will be named in the near future. In retaliation, the SEA has threatened to name U.S. personnel operating in Turkey. But will the SEA's Syrian handlers trust the group with those names now that the hacker group has shown itself to be undisciplined?

I was also struck by the media's lack of interest in reporting on the hack of the RSA Conference site. Even Computerworld.com was interested in this story only if I described the methods used and provided an analysis of the implications. While a single CNN reporter seemed to find the compromise of the Journal's Twitter accounts interesting, no major news outlets showed any interest in the BuzzFeed compromise. To news editors, it would seem, hacking a website to call someone a name is the action of a script kiddie and not something worth reporting.

Implications for Your Business

Few companies are prepared to be the victim of an attack, even when the attack is basically just a nuisance like the one that hit the RSA Conference. Small companies do not have capable security staffs readily available. I am lucky because I know executives at security companies with top-tier incident-response programs who are able to get in touch with any vendor that they need to. That sort of access is not typically available to a small company or generic Internet user, though.

As the RSA Conference incident demonstrates, your security is potentially dependent on vendors that you don't even know exist. While you might place security requirements on your vendors, that won't help when their vendors, or even the vendor's vendors, can create problems for you. Risk assessments rarely include this level of scrutiny.

Since the SEA will continue to target organizations until its members are arrested or the group loses the backing of the Syrian intelligence services, it is important to understand its methodologies and learn from them. Chinese intelligence services are beginning to adapt some of the SEA tactics in their more advanced attacks. The SEA tactics are also fairly common among other criminal actors.

As I described in my presentation at the RSA Conference, the two most critical countermeasures that people can use to prevent attacks by the SEA and similar groups are multifactor authentication and domain locking. In all of the cases targeting me, domain locking was irrelevant, but multifactor authentication would have stopped the attacks.

Repercussions

The most common question I was asked in the days after the hack was how I felt about being targeted by the SEA. My answer generally is that it is actually a badge of honor to be named an "enemy" of a group whose stated purpose is to support a despot and his regime. They have targeted me more than they have targeted President Obama.

And if the SEA meant to hurt me, it hasn't actually worked out that way. The group tweeted the link to my RSA presentation, boosting its views considerably. I've gotten a lot of free publicity, and not just among the group's supporters. People who appreciate the SEA's support for the Syrian government would never be my audience anyway.

Sadly, though, the SEA continues to be successful with simple hacks, and I do not expect much to change in the near future. Even if all SEA members were arrested tomorrow, similar crimes would continue to occur. The nature of the Internet is that even the most inept criminals will eventually figure out a way to compromise just about any organization, given enough time.

Ira Winkler is president of Secure Mentem and author of the book Spies Among Us. He can be contacted through his Web site, securementem.com.

FREE Computerworld Insider Guide: Five IT certifications that won’t break you
Join the discussion
Be the first to comment on this article. Our Commenting Policies