The Syrian Electronic Army (SEA) has a history of being a group of Hacktivists that traditionally have defaced websites, conducted phishing attempts and ran massive amounts of redirects on legitimate websites. SEA launched its public campaign back in 2011 with a mission to attack enemies on the Syrian government and those that launch what they considered false propaganda about the situation in Syria. The SEA has previously claimed responsibility for attacking sites or social media accounts belonging to Washington Post, Financial Times, 60 Minutes, National Public Radio, The BBC, Associated Press and Al-Jazeera English. As recent news has indicated they have graduated to running effective attacks against domain registrars and actually hijacking domains such as the New York Times, Twitter and the Huffington Post. For Twitter, Tuesday was a day in which its attack affected their “user experience” by not allowing users to post or view their site.
The Registrar, Melbourne IT, who maintains domain records of the attacked sites, have been plagued with several attacks over the past several months and this is just one of the most public results. Below was a report on the registration of Twitter during the attack and as you can see the Admin/Tech name and email were changed to SEA and the email address to firstname.lastname@example.org.
Melbourne IT gave the following statement:
“The credentials of a Melbourne IT reseller were used to access a reseller account on the Melbourne ITA System. […] The DNS records of several domains on the reseller account were changed including the nytimes.com.”
SEA has also had its share of hacks against their infrastructure. It was once hosted in Syrian IP address space belonging to the Syrian Computer Soceity. An organization comprised of computer enthusiasts. These domains were hosted by web.com and seized in April as part of a 700 domain sweep. The site’s registration record was changed to web.com and had a note stating OFAC (Office of Foreign Asset Control) holding. Due to the site seizure the group decided to move their servers to a provider in Russia. During this transition to the new environment the servers of the group were hacked and the user database for sea.sy was downloaded. Many of the 140 usernames were linked to email accounts that happened to use the same passwords. A lot of intelligence was gathered on the group by the unknown hackers who compromised their database.
After extensive research of the group and its origins, there is currently a lot of speculation rather than facts. For example, there is a theory that the group may be working out of Iran based on some of the messages received from the group.  Regardless SEA has been very effective in their Hacktivist campaigns and we will continue to monitor their activity, as this will not be the last we hear from this group.