As we were getting ready to declassify the #1 Active Directory Security Risk to organizations worldwide, we received a request to consider delaying its declassification, in light of the possibility of more cyber attacks from the Syrian Electronic Army (SEA), as Washington mulls possible military action against Syria.
Who is the Syrian Electronic Army
According to Wikipedia the Syrian Electronic Army is a collection of pro-government computer hackers aligned with the Syrian President -
"The Syrian Electronic Army (SEA), also known as the Syrian Electronic Soldiers, is a collection of pro-government computer hackers aligned with Syrian President Bashar al-Assad. Using denial of service attacks, defacement, and other methods, it mainly targets political opposition groups and western websites, including news organizations and human rights groups. The Syrian Electronic Army is the first public, virtual army in the Arab world to openly launch cyber attacks on its opponents, though the precise nature of its relationship with the Syrian government is debated."
In recent months, the Syrian Electronic Army has taken credit for Web attacks on media targets that it sees as sympathetic to Syria's rebels, including prior attacks at the New York Times, along with the Washington Post, Agence France-Press, 60 Minutes, CBS News, National Public Radio, The Associated Press, Al-Jazeera English and the BBC.
Although their attacks have been thus far been simplistic (DDOS), one of the latest ones was a sophisticated spear phishing attack, they thus do seem capable of attempting sophisticated attacks, especially if they might be receiving technical assistance from the Russians, the Iranians, or others.
An Increase in Cyber Security Attacks from the Syrian Electronic Army
Quoting, Helmi Noman, a senior researcher at the Citizen Lab, Munk School of Global Affairs at the University of Toronto, who has been tracking the Syrian Electronic Army since May 2011- "They said they are determined to escalate attacks on websites belonging to the United States, European countries and all the countries preparing a possible military action against Syria," Noman said. He also said that "This suggests that the group will try to carry out more serious attacks."
Over the last few days, the Syrian Electronic Army has increased cyber security attacks and disrupted major media websites, including that of the New York Times and earlier today, the Syrian Electronic Army hacked the website of Marines.com.
As Washington mulls possible military action in Syria, the next few few days are sensitive, and the Syrian Electronic Army could potentially try to increase cyber security attacks on the American media and other organization.
Abundance of Caution
The entity that made this request has expressed concern that the Syrian Electronic Army, or their allies, could potentially misuse such new information to develop and deploy exploits possibly aimed at attacking corporate infrastructures of major media outlets as well as military agencies and business organizations (, both that of the US, and those of its partners, notably England, France, Australia and others.)
We doubt that the Syrian Electronic Army has the technical expertise needed to use advanced attack vectors (, the simplest of which is the Pass-the-Hash attack vector,) involving intimate details of Windows Security and Active Directory Security. Their attacks thus far seem to be simplistic DDOS attacks, as well as social engineering attacks to accomplish phishing.
However, we do believe that other malicious entities out there might have the technical sophistication needed to swiftly use such advanced attack vectors. In fact, the only reason we are making this public is because we have reason to believe that at least one prominent advanced persistent threat may have already figured this out.
On the other hand, if the SEA is getting technical assistance from the Russians or the Chinese, then they could very well potentially acquire the capability to use advanced attack vectors to cause harm.
Thus, out of an abundance of caution, we decided to honor the request, and thus have postponed the declassification of this risk until September 12, 2013. Details can be found here.