Researchers Kenneth Geers and Ayed Alqarteh from FireEye have put together a brief dossier. They explain that SEA is a group of political hacktivists working in support of Syrian President Bashar al-Assad. The extent of direct Syrian government involvement is not known, but the group's official website was registered by the Syrian Computer Society (SCS).
Before becoming president of the country, Assad had been president of the SCS. Just over a year ago, after its Twitter feed had been hacked by the SEA, Reuters noted the Syrian Computer Society is "a group now widely believed to have been something of a precursor to the 'Syrian Electronic Army.'" If this is true, then there may still be a direct link between Assad and the SEA.
"One could speculate that funding might always be a concern or focus for a politically motivated group that does not have the resources of a Nation State at its disposal, but I suggest that there's no way for us to know this for certain," Simon Mullis, a system engineer at FireEye, told Infosecurity.
Nevertheless, it is worth bearing in mind a potential link between the group and the Syrian government when considering the SEA's known targets. The FireEye report notes two particular categories of target: the Twitter accounts of high-profile media organizations, and more recently "three widely-used online communications websites."
The Twitter hacks have been almost purely political propaganda events: Al Jazeera, Associated Press, BBC, Daily Telegraph, Financial Times, Guardian, Onion, Reuters and many more. Largely these have been effected by spear-phishing and are designed to disseminate pro-Assad propaganda to as wide an audience as possible, and often done with 'humor'. The latest hack of Thomson Reuters, for example, posted a series of tweets each linking to a pro-government cartoon. Usually the effect has been embarrassing rather than directly damaging to the victims – although the AP hack did cause a dramatic, but momentary, collapse in Wall Street trading.
The communications companies may be different. This month SEA has hacked Truecaller (home to the world's largest online telephone directory); Tango (stealing 1.5 TB including user information); and Viber (a free VoIP and text messaging service with more than 2 million customers.) It should be noted that Viber has denied that any private user information was lost. But all of these could contain personal data "which could," says FireEye, "have serious real-world consequences for Syria’s political opposition."
This brings us to a possible third category of SEA target of which we know very little: Syrian political activists. "SEA’s two primary goals are to improve the Syrian government’s image and to maintain pressure on the Syrian political opposition," says FireEye. The former is done overtly through the Twitter hacks, while the latter is likely done more covertly. "SEA is believed to have used the following Remote Access Tools (RAT) and Trojan Horse applications in the past: Blackshades, DarkComet, Fynloski, Rbot, Xtreme RAT, and Zapchast."
These trojans give the attacker key logging, document and data stealing, and audio eavesdropping capabilities. "And of course," adds FireEye, "SEA likely sends all of this information to a computer address lying within Syrian government-controlled Internet Protocol (IP) space for intelligence collection and review." The high-profile humorous Twitter hacks might be disguising far more sinister opposition surveillance.