The Syrian Electronic Army was careless with Gmail, Facebook

Investigators easily connected alleged SEA members with their real identities

If you're a hacker, it's a good idea to stay away from Facebook and Gmail to communicate with your colleagues.

Three men, who allegedly were part of a multi-year hacking campaign executed by the Syrian Electronic Army (SEA), left a long digital trail that didn't make them hard to identify, according to court documents.

The U.S. Department of Justice unsealed charges on Tuesday against the men, who are accused of hacking companies and defacing websites.

The SEA, which emerged around July 2011, claimed credit for prominent hacks that sought to support Syrian President Bashar al-Assad. The group targeted the White House, Harvard University, Reuters, the Associated Press, NASA and Microsoft, among others.

Those charged are Ahmad Umar Agha, 22, of Damascus, Syria; Firas Dardar, 27, of Homs, Syria, and Peter Romar, 36, of Walterhausen, Germany. They were charged in the U.S. District Court for the Eastern District of Virginia with multiple conspiracies related to computer hacking, prosecutors said in a news release.

Agha and Dardar are believed to be in Syria, which may make it difficult for them to face trial in the U.S. The FBI has added them to its Cyber's Most Wanted list, offering a US$100,000 reward for information that leads to an arrest.

The Washington Post, citing U.S. officials, reported on Tuesday that Romar was arrested in Germany, and the government will seek his extradition.

The group was accused of breaching organizations primarily through targeted emails that sought to trick recipients into divulging account credentials, a scheme known as phishing.

Their attacks were frequently successful. In 2011 and 2012, the SEA posted fraudulent content on the websites of Reuters and the Washington Post.

The SEA also briefly took over the Associated Press' Twitter account in April 2013, posting a bogus tweet that the White House had been bombed and that U.S. President Barack Obama was injured.

Much of their other activity was centered on punishing media outlets for their coverage of the Syrian conflict. The SEA defaced Web pages and at times directed major websites to ones they controlled.

Such high-profile targets brought the group under intense scrutiny, though, and the criminal complaints made public on Tuesday show they took few precautions to mask their identities.

Agha, whom investigators allege is "The Pro," registered a Gmail account in November 2010 with a phone number.

"This email account was used to receive stolen credentials from victims, to register domains used by the conspiracy and to communicate with co-conspirators," the criminal complaint reads.

The Gmail account also contained an email with Agha's real identification documents along with wedding photos.

Dardar, who is believed to have used the nickname "The Shadow," exchanged 218 emails with Agha, also through a Gmail account he registered, prosecutors said.

Peter Romar allegedly maintained a Gmail account under the name "Pierre Romar" and a Facebook account under the same alias. Investigators found a copy of his German passport in his Gmail, job applications and messages to Dardar sent through Facebook, the complaint says.

Law enforcement can get access to online accounts of suspects by obtaining warrants from a court.

Private computer security companies had also been unraveling the digital trail around the same time as law enforcement.

IntelCrawler, a firm now owned by InfoArmor, published an extensive 94-page report on the SEA, which contained detailed technical documentation of The Pro and The Shadow.

Join the CSO newsletter!

Error: Please check your email address.

More about Department of JusticeFacebookFBIHarvard UniversityMicrosoftNASATwitter

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Jeremy Kirk

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place