DOJ files charges against 3 Syrian Electronic Army members

Three SEA members were named in a pair of criminal complaints for a variety of malicious online activity.

The United States has filed criminal complaints against three Syrian nationals affiliated with the Syrian Electronic Army, a hacker group accused of cyber attacks against the U.S. government and private businesses, the Justice Department has announced. None of the accused currently is in custody.

Two of the individuals listed in the complaints—Ahmad Umar Agha, 22 known as “Th3 Pr0” and Firas Dardar, 27, known as “The Shawdow,” believed to be based in Syria—were charged together with criminal conspiracy relating to engaging in a hoax regarding a terrorist attack; attempting to cause mutiny of the U.S. armed forces; illicit possession of authentication features; access device fraud; unauthorized access to, and damage of, computers; and unlawful access to stored communications.

A third suspect, Peter or Pierre Romar, 36, a Syrian national who now resides in Germany, was charged separately along with Dardar with unauthorized access to and damage of computers, and related extortion activities.

The SEA is a group that supports the regime of Syrian President Bashar al-Assad and has carried out cyber attacks since at least 2011.  

Among many allegations, the three are accused of spear phishing attacks against entities “deemed as having been antagonistic toward the Syrian Government,” the DOJ said. Agha and Dardar attempted to infiltrate the Executive Office of the President, though unsuccessfully, in 2011. They played a role in tweeting in 2013 from a compromised account of a prominent news organization that a bomb had exploded in the White House, injuring the president, according to the complaint. They also allegedly gained access to a Marine Corps recruiting website in 2013 by exploiting credentials after a phishing link was clicked and defaced the website, advising Marines to refuse orders. They also are accused of trying to infiltrate NASA networks by getting employees to click on a phishing link, an attempt that was which was stopped by NASA’s firewall.

Alleged attacks on non-government organizations include those on Harvard University and a number of U.S. news organizations, including National Public Radio, CNN, The Onion, E Online, the Daily Dot, New York Post, Time magazine, Vice. And the New York Times.

The charges are the latest in a growing list filed against alleged hackers from  other countries. In October, DOJ unsealed a criminal complaint against a 20 year old Kosovar named Ardit Ferizi for hacking into computer systems and selling personal information of U.S. soldiers to ISIS. That followed on the indictment in 2014 of Chinese hackers and the recent news that the U.S. could indict Iranians for their efforts in unauthorized access to a New York dam.

The law enforcement approach is just one component of what the U.S. describes as its whole-of-government effort to combat malicious cyber actors. It has also been touted as an effective cyber deterrent element under the guise of naming and shaming adversaries. Part of the idea is that if the anonymity generally enjoyed in cyberspace can be compromised, hackers will discontinue for fear of exposure.      

“The indictments had an amazing effect in China, more than we could have hoped for,” James Lewis, director of the strategic technologies program and senior Fellow at CSIS told the Washington Post. “The Chinese hated [the indictments]. They complained about them every time there was a meeting. They said there couldn’t be any progress [in cyber-talks, which the Chinese pulled out of] until the indictments were withdrawn and we promised not to do them again.”

Some, however, are more skeptical of the naming and shaming model. “Shame only works if someone is going to be embarrassed about this,” Fred Kagan, director of the Critical Threats project at the American Enterprise Institute, told The Hill regarding the potential indictment of Iranians. “I think the Iranians are quite proud of this. I would bet you that there are guys in Iran who are high-fiving … getting huge public credit for this.” 

Most recently, SEA was behind the defacement of the Army, U.S. Strategic Command and the Army’s Research, Development and Engineering Command (RDECOM) websites, causing them to briefly go offline.

Agha and Dardar will be added to the FBI’s Cyber Most Wanted list and a reward of $100,000 is being offered for information leading to their arrest.