Syrian Electronic Army: Who are they and what do they want?

Syrian Electronic Army tweets take responsibility for hacking The New York Times website. The attack fits the group's MO: hit influential media outlets critical of Syria.

A woman exits the New York Times Building in New York earlier this month. The paper's website was hacked by the Syrian Electronic Army.

Brendan McDermid/Reuters/File

August 28, 2013

For the Syrian Electronic Army, a hacktivist group that hit The New York Times Tuesday, the goal was to pull off a propaganda victory like none other.

The attack might have at least partly accomplished that aim, though not in the way the SEA had intended. Since the SEA's first reported attack – on Harvard University’s home page in September 2011, replacing photos on the website with an image of Syrian President Bashar al-Assad and the words “Syrian Electronic Army Were Here” – the group has been credited with 11 attacks over the past two years.

Among the targets: the Huffington Post UK, BBC, NPR, Twitter, and “60 Minutes.” In April, the SEA even hacked the Associated Press Twitter account and tweeted that a bomb had gone off in the White House, producing a 150-point drop in the Dow Jones Industrial Index.

But attempts to divert New York Times traffic to the SEA website Tuesday lasted about three minutes. The SEA's servers were far too weak to withstand the deluge, preventing readers from finding a statement that began “People of the world....” and proceeded to attack the US and justify Syrian soldiers “defending their homeland.”

“The @nytimes attack was going to deliver an anti-war message but our server couldn’t last for 3 minutes,” complained a tweet by @Official_SEA16, who purports to be with the “SyrianElectronicArmy.”

Another tweet followed: “Our website and domain are now down, but it was worth the attempt, for #Syria and world peace.”

The attacks follow a pattern of attempting to counteract news media unfavorable to Mr. Assad – and to get as much attention as possible for the group. The SEA is not, however, simply a grass-roots endeavor, cyber experts say. Its members are tightly aligned with the Assad regime and are supplied with equipment, software, and training from Syria’s intelligence services, they add.

“The motive is basically to knock down media messages they don’t like and to draw attention to the SEA – to say, ‘We are strong, the regime supporters are here, they’re strong,” says Amjad Baiazy, author of a study titled “Syria’s Cyber Wars.” “Winning the propaganda war is much more important to these guys than even winning the ground war.”

Can Syria heal? For many, Step 1 is learning the difficult truth.

The attack on the Times’s Internet domain name service appears to fit the SEA’s agenda. It came close on the heels of articles freshly posted to the Times website focusing on reported gas attacks against Syrian civilians.         

“They’re going after media organization that they feel are potentially hostile toward Syria,” says John Bumgarner, a cybersecurity expert. “They haven’t gone after banks or big financial targets, really. They’re going after media outlets to draw attention away from their message.”

Even though the attackers plans went awry Tuesday, the attack succeeded in grabbing public attention and preventing millions of readers from accessing the Times.

“Today the majority of Americans don’t even know where Syria is on the map, but by targeting The New York Times site, they are getting huge publicity for the SEA,” Mr. Baiazy says. “So it’s a huge success for the SEA for gaining a wider Western audience.”

Hacktivists are often dismissed as a serious threat because they are seen as having limited technical abilities and crude methods – but maybe that thinking should change, some experts say. This hack reportedly involved an e-mail phishing attack on a smaller reseller linked to the Australian Internet registrar Melbourne IT, which supplied the Times with web domain name service.

“We’re seeing a rise in hacktivism from Anonymous to Lulzsec, now we’re seeing Palestinian and Iranian groups doing attacks on YouTube – Russian and Malaysian groups, too,” says Paul Ferguson, vice president of threat intelligence for IID, a cybersecurity firm in Tacoma, Wash. “The barrier to entry for groups like this to cause bad things on the Internet is getting lower.”

Timeline of Syrian Electronic Army attacks

Sept. 26, 2011. The Syrian Electronic Army hacked into Harvard University’s homepage, replacing photos on the website with an image of Assad and the words “Syrian Electronic Army Were Here.”

August 2012. Reuters was the target of three different attacks, first on the news agency’s blog, then its Twitter feed, and then on its blog again. The Syrian Electronic Army said it was behind the attacks.

Sept. 9, 2012. The SEA claimed responsibility for a hack into Al Jazeera’s SMS breaking news alert system. The hackers sent fake messages, including one stating that an attempt had been made to assassinate Qatar’s prime minister.

March 21, 2013. BBC Weather, Arabic, and Ulster Twitter accounts were hacked by the SEA. The attack included a series of tweets about weather conditions in the Middle East including “Chaotic weather forecast for Lebanon as the government decides to distance itself from the Milky Way.” The BBC regained control of its Twitter accounts within several hours.

April 15, 2013. Just before midnight, SEA messages began appearing on NPR-affiliated Twitter accounts, which were followed by a statement on SEA’s Twitter feed: “We will not say why we attacked @NPR … They know the reason and that enough #SEA #Syria.”

April 20, 2013. The SEA took credit for hacking the “60 Minutes” Twitter account and tweeted messages such as “The Syrian army’s fight is your fight. The Syrian army fights for all humanity.” The “60 Minutes” account was briefly suspended while the hack was investigated.

April 23, 2013. The SEA hacked into the Associated Press Twitter account and tweeted that a bomb had gone off in the basement of the White House, sending the Dow Jones into a brief tailspin.  

April 29, 2013. The Guardian reported that 11 Twitter accounts affiliated with the newspaper were hacked by the Syrian Electronic Army.

May 17, 2013. The SEA hacked into the Human Rights Watch Twitter account, posting message such as “All Your reports are FALSE!! Stop lying!!!”

May 17, 2013. The Financial Times’s site and Twitter account were hacked by the SEA. Twelve posts entitled “Hacked by the Syrian Electronic Army” appeared on the FT’s tech blog, according to an article by the Financial Times.

Aug. 15, 2013.  Outbrain, a content recommendation service used by some major news outlets, was hacked by the SEA. The early-morning attack on Outbrain affected The Washington Post, Time, and CNN, but by the afternoon, Outbrain had fixed the security breach, and the news sites were back up and running.    

Aug. 27, 2013. The SEA hack prevented The New York Times from getting its website up and running again until Aug. 28.