The Complex

How Did Syria's Hacker Army Suddenly Get So Good?

At first glance, they may seem just like pro-Assad thugs and online vandals, commandeering Web sites in the name of their favorite dictator. But the hacker group known as the Syrian Electronic Army is getting more ambitious and sophisticated, say experts who've looked closely at the tactics underlying their attacks. The hackers may even be receiving outside help from more skilled and dangerous groups - or even from governments.

The SEA has been around since 2011, and so far has been known mostly for relatively simple acts of vandalism like Web site defacements. (Most recently, the group grabbed international attention after commandeering the Web sites of the New York Times, the Washington Post, and yesterday the recruitment Web site for the U.S. Marine Corps.) But in the spring of this year, the group started to up its game. It went after bigger targets, like when it hijacked the Twitter feed of the the Associated Press and sent out a false report about a bombing at the White House. But it also hacked into Web based communications services used by Syrian rebels to avoid detection by the regime. The goal presumably wasn't to vandalize those sites, but to gather information about the rebels who were using them.

As the SEA's ambition has grown, so has its skill level. The attack on the New York Times effectively gave the group control of the entire Web site. It was accomplished not by a frontal assault, but by changing information in the Domain Name System databases via a company in Australia. Anyone who tried to visit the Times Web site was redirected to another site under the SEA's control, sporting its logo. Not exactly high-end tradecraft, but not the work of simple vandals, either, which is what the SEA has long been known for.

"The [SEA] apparently uses low-level tactics to compromise websites and Twitter accounts, but they should not be underestimated," says Helmi Noman, the senior researcher at  Citizen Lab, a research group at the University of Toronto that studies hacker networks. "They should not be evaluated based on their level of sophistication, but rather on the potential damage they can cause with unauthorized access to websites."

So how did the SEA get better in only a few months?

"I don't think it would be unreasonable to suspect someone more skilled is helping them out," says Adam Myers, the Vice President of Intelligence for CrowdStrike, a computer security company. In the attacks on the Times, Twitter, and communications services such as Tango, a popular video and text messaging applications, and Viber, which lets users make free phone calls via the Internet,the SEA got access to accounts as well as to other data in the companies' systems.

"That would indicate that they're been improving [their methods] over the past couple months. I would not rule out some outside influence giving them pointers," Myers says. "I think the likely candidates would be Iran."

If Iranian forces have joined forces with the SEA, that could be a problem for the United States. Iranian hackers have already demonstrated their prowess, and they don't limit themselves to single Web site attacks and propaganda campaigns. Last year, an operation that erased data on tens of thousands of computers at the oil company Saudi Aramco, as well as a massive denial of service attack on the Web sites of U.S. banks, which were both attributed to Iran, sent waves of panic throughout U.S. intelligence and law enforcement agencies.

What's known about the SEA's members has come in large part from journalists, as well as other hackers. Last week, the hacker group Anonymous, probably the best known in the world, released information it stole from an SEA server. The Anonymous intrusion helped to confirm some details about how the group works; for instance, it is apparently not officially alligned with the Assad regime, but is comprised of supporters who may receive some backing from the government. But Anonymous also showed that the SEA is not impervious. The hacker collective claimed to release informaiton about the SEA's core members, including their personal e-mails and passwords for their accounts. The SEA claims their systems were never breached, and that reports identifying their members are erroneous. 

Regardless of who is running the SEA, officials in the United States are preparing for a retaliatory strike in cyberspace by forces allied with the Syrian regime. In anticipation of those strikes, the FBI is more closely monitoring Syrians inside the United States and is warning companies and government agencies to brace for possible cyber strikes. U.S. intelligence agencies are also monitoring potential Syrian cyber attacks and keeping lawmakers informed, according to a congressional staffer.

Would the SEA be the likely group to carry out those attacks? Possibly. But they're not the only force available.

Syria has become a digital battlefield for a range of malicious actors, including pro-regime spies and propagandists, says Rafal Rohozinski, the CEO of SecDev Group, which monitors communications activity in Syria. The SEA has not made any great technological leaps or advances in tradecraft, he argues, but they have become more "deliberative and strategic" in how they work. They're taking the time to select more valuable targets that will give them the  most bang for their buck.

And in that sense, the SEA's evolution reflects the broader hacker landscape. In June, Citizen Lab published a report on two operations conducted by what it called "pro-government electronic actors," which were narrowly targeted to trick opposition members into installing spyware on their computers. Unlike the SEA's high-profile, public Web site defacements, these attacks were designed to go unnoticed.

In one operation, the group sent electronic messages to rebels posing as someone they knew or were likely to know. These messages encouraging victims to download a communications technology called Freegate which was designed to help dissidents circumvent state surveillance agencies. The program was actually a piece of malware that lets the intruder monitor what the infected user is typing on his computer, and also to read and remove his files. In other words, pro-Assad hackers used the fear of Assad's spies to start snooping on dissidents. Clever.

In the second operation, victims were sent messages encouraging them to click on a link to a sermon by a pro-opposition cleric. When they did so, it activated a program that effectively put the user's computer under the hacker's control.

This kind of targeted, tailored hacking was useful for gathering intelligence on the location of rebels and their allies, and then killing or capturing them, Rohozinski says. The attacks have fallen off in recent months, he added, as the intensity of the physical fight in Syria has increased. Perhaps the regime doesn't need to spy on rebels when it can kill them with poison gas.

If there is a retaliatory cyber strike against the United States -- and experts sound increasingly convinced there will be one -- it could come from any number of sources, inside or outside the country. The SEA may be the most well-known of the Syrian hacker armies, but maybe not for long.

National Security

Meet the Military Forces Gathering on Syria's Doorstep

While the United States is ready to strike a handful of targets on the ground in Syria, any international conflict there will take place on a much larger stage. The entire region is full of a witches' brew of military hardware from more than half a dozen nations with interests in the Syrian conflict.

The United States and France are prepared to strike the government of Syrian President Bashar al-Assad from the Mediterranean Sea and a ring of air bases surrounding Syria. Meanwhile, three of America's most powerful military allies -- Britain, Turkey, and Israel -- are publicly staying on the sidelines, albeit with their militaries primed to defend against any Syrian counterattack. Then there are Assad's friends, Russia and Iran, both of which have military personnel on the ground in Syria.

Here's a look at the mix of military forces facing Assad -- and each other -- in and around the Levant.

The United States already has Syria ringed with Patriot missile batteries in Jordan and Turkey and has four Arleigh Burke-class guided missile destroyers parked in the eastern Mediterranean Sea. This little fleet is likely armed with a mix of Tomahawk cruise missiles to attack ground targets in Syria and surface-to-air missiles capable of defending the ships from attempts to attack them by air.

If U.S. President Barack Obama does decide to fire a warning shot -- as he has described any U.S. military action there -- at Assad, these ships and their Tomahawks will likely play a major role.

In addition to the four destroyers, the United States may well have one of its four guided missile submarines prowling the waters near Syria. These subs used to carry massive Trident nuclear-tipped ballistic missiles. Over the last decade they saw their nuclear payloads removed and refitted to carry up to 154 Tomahawk cruise missiles in 22 of their 24 giant missile tubes. This class of ships saw its combat debut during the 2011 campaign to oust former Libyan dictator Muammar al-Qaddafi when the USS Florida fired more than 90 Tomahawks at targets in Libya.

Meanwhile, the U.S. Air Force's fleet of spy planes that will likely track targets and intercept communications by Assad's forces can operate out of NATO's giant base at Incirlik, Turkey, and the U.S. bases along the Persian Gulf. Both Al Udeid air base in Qatar and Al Dhafra air base in the United Arab Emirates (UAE) already see a steady deployment of E-8 Joint STARS radar planes, along with U-2 Dragon Lady and RQ-4 Global Hawk spy planes that are all used to find ground targets. These Persian Gulf bases also regularly host RC-135 Rivet Joint electronic spy planes that snoop on enemy radio communications and radar transmissions, as well as B-1 Lancer heavy bombers and KC-135 and KC-10 tankers that would refuel the airborne armada.

Meanwhile, France says it is preparing for action against Syria and already has a detachment of cruise-missile-carrying fighter jets -- three to six Mirage 2000s or Rafales -- alongside the American planes at Al Dhafra in the UAE. The French Navy frigate Chevalier Paul, armed to the teeth with anti-aircraft and anti-missile missiles, is also said to be steaming toward the eastern Mediterranean, though the French government says the ship is merely conducting a training cruise.

Next among the major allied forces on Syria's doorstep is Turkey, which has placed its military on alert and says it would support military action against Assad's regime, which shot down a Turkish RF-4 Phantom fighter jet in 2012. Right now, it seems like all Turkey has said it will do to support strikes against Assad is offer the use of the NATO base at Incirlik to the United States.

If Turkey decides to play a more muscular role in strikes against Assad, its air force is likely the military branch that will carry it out. The Turkish air force is equipped with the SOM missile and the standoff land attack missile; both are long-range cruise missiles that are carried by the service's 196 F-16 Falcon fighter jets. Turkey has also placed anti-aircraft missile batteries along its border with Syria to defend from attack by Assad's missiles and aircraft.

Just as Turkey is on the sidelines, so is Syria's southern neighbor Jordan, a nation that has zero desire to get involved in a conflict that could spill over its borders.

"Jordan will not be a launching pad for any military action against Syria," said Mohammad Momani, Jordan's information minister on Aug. 28. Instead, the small nation sandwiched between Israel, Iraq, Syria, and Saudi Arabia is calling for a diplomatic solution to the fighting in Syria.

Still, Jordan isn't taking any chances and is hosting American Patriot air defense missiles and a detachment of about 12 U.S. Air Force F-16 Falcon fighter jets. These American forces are there to protect Jordan from any attack by Assad's forces and not to participate in strikes against Syria.

Next up are the British, who sent six Typhoon fighter jets to their base on Cyprus, RAF (Royal Air Force) Akrotiri. Then the British Parliament got involved and said that Britain can't participate in any strike against Syria. It looks like the RAF's insistence that these fighters are not going to participate in any strikes against Syria and are merely there to protect British facilities in the region is legit.

"This is a precautionary measure, specifically aimed at protecting UK interests and the defence of our Sovereign Base Areas at a time of heightened tension in the wider region," reads a British Defense Ministry statement on the deployment. "They are not deploying to take part in any military action against Syria."

Syria's dwindling number of friends is also offering support.

Russia, Syria's longtime ally and top weapons supplier, is urging the United States not to strike Syria and is sending the guided-missile cruiser Moskva and an unidentified anti-submarine ship from its Northern Fleet to the eastern Mediterranean. Still, Russian military officials insist this deployment is part of a normal training rotation and is not linked to the situation in Syria, reported Russia's state-owned RIA Novosti news agency on Aug. 29. Russia's only overseas naval base in located in the Syrian port of Tartus and is used to support Russia's increasing number of naval patrols on the Mediterranean Sea.

The ship-routing deployment comes the same week that Russia's Interfax news agency reported that the Kremlin is planning to evacuate personnel from its naval base at Tartus who would normally be used to support the vessels. An IL-62 cargo plane belonging to the Russian Emergency Ministry made a very quick overnight flight from Moscow to the Syrian port of Latakia on the night of Aug. 27, staying on the ground less than two hours to pick up dozens of Russians looking to get out of Syria.

Syria's other main ally, Iran, is complicating matters by promising retaliation if the United States launches strikes against Syria.

Gen. Mohammad Ali Jafari, commander of Iran's Revolutionary Guards, was quoted in the Iranian news outlet Tasnim as saying an attack on Syria "means the immediate destruction of Israel," USA Today reported.

Iran and Hezbollah, Iran's proxy in Syria and Lebanon, are heavily involved in defending the Assad regime from the largely Sunni rebels fighting it. Iran doesn't have any warships or major military facilities near Syria. However, the Quds force, Iran's special unit responsible for conducting clandestine military operations overseas, has been helping the Syrian military fight the rebels for more than a year by providing training and materiel. While the vast majority of Syria's military hardware comes from the former Soviet Union and China, Iran gives the Assad regime drones, ballistic missiles, artillery rockets, and anti-tank missiles.

As for Israel, while its leaders say it won't participate in U.S.-led strikes on Assad, its air force has been striking targets inside Syria throughout the last year, usually hitting arms depots or weapons convoys in hopes of preventing some of Syria's more advanced weapons from being shipped to terrorist organizations. As talk of a U.S. strike on Syria ramps up, the Israeli military has mobilized reserve forces, massing them on its northern border near Syria. Israeli government officials have said that Israel will punch back if Syria, Iran, or Hezbollah attacks it in response to American airstrikes.

"Those seeking to strike us will find us sharper and fiercer than ever," Lt. Gen. Benny Gantz, Israel's top military commander was quoted by the Washington Post as saying. "Our enemies must know we are determined to take any action needed to defend our citizens."

There you have it: an entire, heavily armed corner of the world on edge, a dictator desperately fighting for his life, and an Iran that might have something to prove. What could possibly go wrong?

Getty Images