War Stories: What Businesses Can Learn From The Art Of Cyber Warfare

Ian Trump explores some of the IT security takeaways from the recent trial in the US of a member of the Syrian Electronic Army.

An interesting story caught my attention recently about the trial of a member of the Syrian Electronic Army (SEA), and I wanted to take this opportunity to do a deep dive into it to understand what recent cyber war operations might look like. Strangely, they look an awful lot like the regular battle most of the small and medium businesses I know face almost every day. However, in the case of many overseas cyber war protagonists the urge to “make a little money” from hacking skills puts everyone at risk.

It’s a pretty rare occurrence that a Syrian national, and current or former member of the SEA, ends up in a US Court. In this case, Peter Romar – known online as “Pierre Romar” (not the best alias ever) – was picked up by German authorities and extradited to the US to face a whole pile of charges, including engaging in a hoax regarding a terrorist attack; attempting to cause mutiny of the US armed forces; illicit possession of authentication features; access device fraud; unauthorized access to, and damage of, computers; and unlawful access to stored communications.

Beginning in 2011, Firas Dardar – known online as “The Shadow” (Wanted) – and Peter Romar were both members of the SEA’s “Special Operations Division”, which engaged in a multi-year criminal conspiracy to conduct computer intrusions against perceived detractors of President Bashar al-Assad, including media entities, the White House, and foreign governments. I’m certain both felt they were doing their patriotic duty as loyal followers President al-Assad.

However, believe that working in the cyber warfare unit of many countries, may not be that great. Perhaps one of the reasons we are seeing more sophisticated and stealth malware and hacking attempts on business is because system exploitation is a very transferable skill, especially in demand by the criminal underground. It would appear patriotism turns to profit fairly easily. But there seems to be a pretty low level of clandestine trade-craft being practiced here, and attempts to use Romar as the money launder ended in pretty epic failure.

This is where our story seems to support my opinion, from the Complaint:

Beginning in 2013, SEA members also engaged in an extortion scheme that involved hacking online businesses in the United States and elsewhere for personal profit. Specifically, the complaint alleges that the conspiracy would gain unauthorized access to the victims’ computers and then threaten to damage computers, delete data or sell stolen data unless the victims provided extortion payments to Dardar and/or Romar.  In at least one instance, Dardar attempted to use his affiliation with the SEA to instill fear into his victim.  If a victim could not make extortion payments to the conspiracy’s Syrian bank accounts due to the Syrian Sanctions Regulations or other international sanctions regulations, Romar would act as an intermediary in an attempt to evade those sanctions.

The key point to grab here is “personal profit” and from the actual warrant I reviewed on the DOJ PACER system; both of these SEA operatives used Facebook and Gmail accounts. I would not recommend friending either one of them. What is more interesting is this:

A review of records obtained from a court-authorized search warrant confirms that the sea.the.shadow@gmail.com account was controlled by Dardar. Among other things, the account contained emails in which the user of the account sent scanned attachments of identification documents issued by the Syrian Ministry of the Interior, including Dardar’s personal identifiers, and the account regularly received incoming correspondence addressing the recipient as “Feras Dardar” or “Firas Nour Alden Dardar.” In addition, on multiple occasions Dardar sent emails from this account to his hacking victims that included photographs depicting his banking information (so that victims could send money to him as part of the extortion scheme), which consistently listed his name as the beneficiary of the account.

 You are not reading this wrong, these so-called SEA Special Operations Division hackers were sending Personally Identifiable Information to American cloud service providers. The most interesting part of how this cyber-attack and extortion plan worked comes about half way through the warrant, in summary:

  1. A hacker breaks into a system, utilizing a phishing email, the email is designed to entice the recipient into clicking on a hyperlink.
  2. Recipients that clicked on the hyperlink were asked for login credentials for their accounts on legitimate computer systems.
  3. The hacker then uses the legitimate to access the victim’s computer systems.
  4. The hacker then redirects legitimate Internet traffic to or from the victim’s systems, defaces and alters website text, sends messages using the victim’s accounts, attempts further phishing attempts, steals data, or engages in other illegitimate activities.
  5. The hacker then sends emails from a personal account to employees of the victim entities that indicated his responsibility for the hack and provides proof of the system compromise.
  6. The hacker would then demand payments from the victim and make threats about what would happen if payment was not received, including threats that he would cause further damage to the victim’s systems, or sell information stolen from the victim to other hackers.

Romar, who resided in Germany, would receive funds from victim organizations who could not transmit money directly to Syria due to the sanctions against Syria. All with the knowledge that he was receiving funds from the victims of his co-conspirators’ hacking activities and that he was assisting Syria in evading the relevant sanctions.

If you want to read the whole 26 page warrant, here is the drop box link to it: https://www.dropbox.com/s/rfnlsigkxzhbs3b/Romer%20Peter%20AoD.pdf?dl=0

When we analyze the attacks; there would have been many opportunities to prevent them. They were astonishingly simple and started with a phishing email, a website which collected user login ids and passwords and then the hacker’s alteration of DNS records. Email protection services, web protection services, firewall rules locking down DNS traffic and removing administrative rights to prevent any changes to the system configuration could have prevented these attacks.

This is great take away information from cyber warfare operators turned criminals on how to prevent similar attacks to your systems. The indictment tells us how the attack was conducted and the points where it could have been prevented with a layered defence. Read and learn.

About Ian Trump
Ian-TrumpIan Trump is security lead for LOGICnow, you can follow Ian on Twitter at @phat_hobbit.
In this article