Max Kobrak – Europe and Russia Section Chief, Cyber Contributor
4 February 2017
It is highly likely that both incarnations of the Syrian Electronic Army (SEA) disbanded. The original state-sponsored SEA likely disbanded in 2013, after a domain seizure confirmed its ties to the Syrian Regime. The leaders of the current SEA are on the FBI’s Cyber Most Wanted List. SEA has not hacked a prominent target or been active on social media in over a year.
SEA is a pro-regime, and likely state-sponsored, hacking group founded in 2011.[i] A 2013 New York Times article stated, “the SEA had a clearly defined hierarchy, with leaders, technical experts, a media arm and hundreds of volunteers.”[ii] The majority of SEA’s activities involve hacking pro-opposition social media accounts and defacing them with pro-regime propaganda. The group also hacked the websites and social media accounts of several dozen major western media outlets.[iii]
In April of 2013, SEA hacked the Associated Press Twitter account and posted a fake tweet about a bombing in the White House; causing USD 136 billion to temporarily disappear from the stock market.[iv] The Syrian Computer Society (SCS), the state’s acting domain name registration authority, maintained SEA’s digital infrastructure from 2011-2013.[v] In May of 2013, Network Solutions LLC seized 708 Syrian domain names, the majority of which were used by SEA and hosted by the SCS.[vi] The seizure crippled SEA’s infrastructure and provided strong evidence of ties between the group and the Syrian regime.
Amad Umar Agha and Firas Dardar rebuilt SEA as a de-centralized hacking group modeled on Anonymous. The new group consists of a dozen members and is loosely organized.[vii] SEA continued hacking and defacing western media accounts with minimal or no support from the regime. Between 2013 and 2015, the frequency of SEA attacks steadily decreased. During this time, Agha and Dardar began to use the organization as a front for cyber-crime. The pair used spear-phishing and ransomware to extort money from their victims.[viii] They recruited Peter Romar, a Syrian refugee based in Germany, to launder money past American sanctions.[ix]
In March of 2016, the FBI placed Agha and Dardar on their Cyber Most Wanted List and issued a USD 100,000 bounty on information leading to their capture. They are charged with involvement in the cyber-attacks on the U.S. government and U.S. media organizations, and attempted extortion on U.S. companies.[x] German law enforcement arrested Romar and extradited him to the U.S. in 2016; he is currently on trial.[xi]
SEA has not hacked a prominent organization in over a year and none of SEA’s major operatives have been active since 2015. This suggests that the current SEA group has likely disbanded for several reasons. SEA’s leadership are known cyber criminals wanted by the U.S. government and the SEA’s “brand” is likely tainted by its association with cyber-crime instead of pro-regime “hacktivism”. The organization is very small and loosely organized which would have made it difficult to withstand the external forces working to shut it down.
Analytic confidence for this assessment is high. The analyst used Analysis of Competing Hypothesis for this project. Source reliability is high and sources corroborated each other. The analyst’s expertise is low and the analyst worked alone. Subject complexity is moderate and the time available for the task was adequate.