This article is from the source 'nytimes' and was first published or seen on . It last changed over 40 days ago and won't be checked again for changes.
You can find the current article at its original source at http://www.nytimes.com/2013/05/18/technology/financial-times-site-is-hacked.html
The article has changed 7 times. There is an RSS feed of changes available.
| Version 5 | Version 6 |
|---|---|
| Hunting for Syrian Hackers’ Chain of Command | Hunting for Syrian Hackers’ Chain of Command |
| (35 minutes later) | |
| It’s the question of the moment inside the murky realm of cybersecurity: Just who — or what — is the Syrian Electronic Army? | It’s the question of the moment inside the murky realm of cybersecurity: Just who — or what — is the Syrian Electronic Army? |
| The hacking group that calls itself the S.E.A. struck again on Friday, this time breaking into the Twitter accounts and blog headlines of The Financial Times. The attack was part of a crusade that has targeted dozens of media outlets as varied as The Associated Press and The Onion, the parody news site. | The hacking group that calls itself the S.E.A. struck again on Friday, this time breaking into the Twitter accounts and blog headlines of The Financial Times. The attack was part of a crusade that has targeted dozens of media outlets as varied as The Associated Press and The Onion, the parody news site. |
| But just who is behind the S.E.A.’s cybervandalism remains a mystery. Paralleling the group’s boisterous, pro-Syrian government activity has been a much quieter Internet surveillance campaign aimed at revealing the identities, activities and whereabouts of the Syrian rebels fighting the government of President Bashar al-Assad. | But just who is behind the S.E.A.’s cybervandalism remains a mystery. Paralleling the group’s boisterous, pro-Syrian government activity has been a much quieter Internet surveillance campaign aimed at revealing the identities, activities and whereabouts of the Syrian rebels fighting the government of President Bashar al-Assad. |
| Now sleuths are trying to figure out how much overlap there is between the rowdy pranks playing out on Twitter and the silent spying that also increasingly includes the monitoring of foreign aid workers. It’s a high-stakes search. If researchers prove the Assad regime is closely tied to the group, foreign governments may choose to respond because the attacks have real-world consequences. The S.E.A. nearly crashed the stock market, for example, by planting false tales of White House explosions in a recent hijacking of The A.P.’s Twitter feed. | Now sleuths are trying to figure out how much overlap there is between the rowdy pranks playing out on Twitter and the silent spying that also increasingly includes the monitoring of foreign aid workers. It’s a high-stakes search. If researchers prove the Assad regime is closely tied to the group, foreign governments may choose to respond because the attacks have real-world consequences. The S.E.A. nearly crashed the stock market, for example, by planting false tales of White House explosions in a recent hijacking of The A.P.’s Twitter feed. |
| The mystery is made more curious by the belief among researchers that the hackers currently parading as the S.E.A. are not the same people who started the pro-Assad campaign two years ago. | The mystery is made more curious by the belief among researchers that the hackers currently parading as the S.E.A. are not the same people who started the pro-Assad campaign two years ago. |
| Experts say the Assad regime benefits from the ambiguity. “They have created extra space between themselves and international law and international opinion,” said James A. Lewis, a security expert with the Center for Strategic and International Studies. | Experts say the Assad regime benefits from the ambiguity. “They have created extra space between themselves and international law and international opinion,” said James A. Lewis, a security expert with the Center for Strategic and International Studies. |
| The S.E.A. emerged during the Syrian uprisings in May 2011, they said, to offer a pro-Assad counternarrative to news coming out of Syria. In speeches, Mr. Assad likened the S.E.A. to the government’s own online security corps, referring to the group as “a real army in a virtual reality.” | The S.E.A. emerged during the Syrian uprisings in May 2011, they said, to offer a pro-Assad counternarrative to news coming out of Syria. In speeches, Mr. Assad likened the S.E.A. to the government’s own online security corps, referring to the group as “a real army in a virtual reality.” |
| In its early incarnation, researchers said, the S.E.A. had a clearly defined hierarchy, with leaders, technical experts, a media arm and hundreds of volunteers. Several early members belonged to the Syrian Computer Society, a technical organization run by Mr. Assad before he became president. Until last month, digital records suggest, the Syrian Computer Society still ran much of the S.E.A.’s infrastructure. In April, a raid of S.E.A. Web domains revealed that the majority were still registered to the society. | In its early incarnation, researchers said, the S.E.A. had a clearly defined hierarchy, with leaders, technical experts, a media arm and hundreds of volunteers. Several early members belonged to the Syrian Computer Society, a technical organization run by Mr. Assad before he became president. Until last month, digital records suggest, the Syrian Computer Society still ran much of the S.E.A.’s infrastructure. In April, a raid of S.E.A. Web domains revealed that the majority were still registered to the society. |
| S.E.A. members initially created pro-Assad Facebook pages and spammed popular pages like President Obama’s and Oprah Winfrey’s with pro-Syrian comments. But by the fall of 2011, S.E.A. activities had become more premeditated. They defaced prominent Web sites like Harvard University’s with pro-Assad messages, in an attack a spokesman characterized as sophisticated. | S.E.A. members initially created pro-Assad Facebook pages and spammed popular pages like President Obama’s and Oprah Winfrey’s with pro-Syrian comments. But by the fall of 2011, S.E.A. activities had become more premeditated. They defaced prominent Web sites like Harvard University’s with pro-Assad messages, in an attack a spokesman characterized as sophisticated. |
| At some point, the S.E.A.’s crucial players disappeared and a second crop of hackers took over. The current group consists of roughly a dozen new actors led by hackers who call themselves “Th3 Pr0” and “The Shadow” and function more like Anonymous, the loose hacking collective, than a state-sponsored brigade. In interviews, people who now identify as the S.E.A. insist they operate independently from the Assad regime. But researchers who have been following the group’s digital trail aren’t convinced. | At some point, the S.E.A.’s crucial players disappeared and a second crop of hackers took over. The current group consists of roughly a dozen new actors led by hackers who call themselves “Th3 Pr0” and “The Shadow” and function more like Anonymous, the loose hacking collective, than a state-sponsored brigade. In interviews, people who now identify as the S.E.A. insist they operate independently from the Assad regime. But researchers who have been following the group’s digital trail aren’t convinced. |
| “The opportunity for collaboration between the S.E.A. and regime is clear, but what is missing is proof,” said Jacob West, a chief technology officer at Hewlett-Packard. As governments consider stronger responses to malicious cyberactivity, Mr. West said, “the motivation for Syria to maintain plausible deniability is very, very real.” | “The opportunity for collaboration between the S.E.A. and regime is clear, but what is missing is proof,” said Jacob West, a chief technology officer at Hewlett-Packard. As governments consider stronger responses to malicious cyberactivity, Mr. West said, “the motivation for Syria to maintain plausible deniability is very, very real.” |
| Long before the S.E.A’s apparent changing of the guard, security researchers unearthed a stealthier surveillance campaign targeting Syrian dissidents that has since grown to include foreign aid workers. Morgan Marquis-Boire, a researcher at the Citizen Lab at the University of Toronto, uncovered spyware with names like “Dark Comet” and “BlackShades” sending information back to a Syrian state-owned telecommunications company. The software — which tracked a target’s location, read e-mails and logged keystrokes — disguised itself as an encryption service for Skype, a program used by many Syrian activists. | |
| Mr. Marquis-Boire has uncovered more than 200 Internet Protocol addresses running the spyware. Some were among the few kept online last week during an Internet disruption in Syria that the government blamed on a “technical malfunction,” but experts described as a systematic government shutdown. | Mr. Marquis-Boire has uncovered more than 200 Internet Protocol addresses running the spyware. Some were among the few kept online last week during an Internet disruption in Syria that the government blamed on a “technical malfunction,” but experts described as a systematic government shutdown. |
| S.E.A. members deny spying on Syrian civilians. “We didn’t do that and we will not,” the hacker who identifies himself as Th3 Pr0 wrote in an e-mail. “Our targets are known,” he wrote, referring to the group’s public Twitter attacks. Researchers have tracked several of those attacks — including that on The Onion and another against Human Rights Watch in March — to a server in Russia, which they believe is redirecting attacks from Syria. Last weekend, researchers traced one attack back to a Syrian I.P. address registered to Syriatel, a telecommunications company owned by Rami Makhlouf, Mr. Assad’s first cousin. | |
| Dissidents say that connection is proof the S.E.A. is backed by the Assad regime and claim that the Twitter attacks are just the outward-facing component of a deeper surveillance campaign. | Dissidents say that connection is proof the S.E.A. is backed by the Assad regime and claim that the Twitter attacks are just the outward-facing component of a deeper surveillance campaign. |
| “There is no doubt they are the same,” said Dlshad Othman, a Syrian in Washington who helps dissidents get rid of the spyware. | “There is no doubt they are the same,” said Dlshad Othman, a Syrian in Washington who helps dissidents get rid of the spyware. |
| The smoking gun, Mr. Othman and others say, was an S.E.A. attack last year on Burhan Ghalioun, a Syrian opposition leader. Shortly after Mr. Ghalioun’s Facebook page was hacked, it began serving spyware to fans. Mr. Ghalioun’s e-mails also showed up on a S.E.A. leak site. | The smoking gun, Mr. Othman and others say, was an S.E.A. attack last year on Burhan Ghalioun, a Syrian opposition leader. Shortly after Mr. Ghalioun’s Facebook page was hacked, it began serving spyware to fans. Mr. Ghalioun’s e-mails also showed up on a S.E.A. leak site. |
| The other potential link, they say, is a list of opposition leaders that surfaced in July, after S.E.A. members boasted they could help the regime quickly search for the names of opponents. Mr. Othman said the boasts were proof the S.E.A. worked with the regime and kept tabs on dissidents. | The other potential link, they say, is a list of opposition leaders that surfaced in July, after S.E.A. members boasted they could help the regime quickly search for the names of opponents. Mr. Othman said the boasts were proof the S.E.A. worked with the regime and kept tabs on dissidents. |
| Ironically, that opposition search most likely led to the S.E.A.’s internal shake-up. Activists say encryption on the document was cracked, and in July it popped up on Pastebin, a Web site for anonymous postings. | Ironically, that opposition search most likely led to the S.E.A.’s internal shake-up. Activists say encryption on the document was cracked, and in July it popped up on Pastebin, a Web site for anonymous postings. |
| “There was a view that the government blamed the S.E.A. for the leak,” said John Scott-Railton, a Citizen Lab research fellow. | “There was a view that the government blamed the S.E.A. for the leak,” said John Scott-Railton, a Citizen Lab research fellow. |
| In the days that followed, Facebook accounts for known S.E.A. members went dark. S.E.A. aliases that researchers had been tracking suddenly vanished. New members with different monikers assumed the group’s name. Researchers say the hackers behind the recent spate of Twitter hacks are far less organized. | In the days that followed, Facebook accounts for known S.E.A. members went dark. S.E.A. aliases that researchers had been tracking suddenly vanished. New members with different monikers assumed the group’s name. Researchers say the hackers behind the recent spate of Twitter hacks are far less organized. |
| Outside Syria, the Twitter attacks made people take note of the S.E.A. But inside Syria, they barely registered. Dissidents there are more concerned with the mounting spyware infections and imprisonments. And researchers have seen the spyware tracking a new target: aid workers. | Outside Syria, the Twitter attacks made people take note of the S.E.A. But inside Syria, they barely registered. Dissidents there are more concerned with the mounting spyware infections and imprisonments. And researchers have seen the spyware tracking a new target: aid workers. |
| “The Syrian opposition are quite paranoid and aware of the stakes,” Mr. Marquis-Boire said. “But then you get foreign aid workers who show up to do good work, but are not as paranoid about their operational security.” | “The Syrian opposition are quite paranoid and aware of the stakes,” Mr. Marquis-Boire said. “But then you get foreign aid workers who show up to do good work, but are not as paranoid about their operational security.” |
| “It’s a smart move if you think about it,” he added. | “It’s a smart move if you think about it,” he added. |
This article has been revised to reflect the following correction: | This article has been revised to reflect the following correction: |
| Correction: May 17, 2013 | Correction: May 17, 2013 |
An earlier version of this article referred incorrectly to a representative of The Financial Times, Ryann Gastwirth. She is a spokeswoman, not a spokesman. | An earlier version of this article based on previous reporting referred incorrectly to a representative of The Financial Times, Ryann Gastwirth. She is a spokeswoman, not a spokesman. |