The Syrian Electronic Army (SEA; ar, الجيش السوري الإلكتروني) is a group of computer hackers which first surfaced online in 2011 to support the government of
Syria Syria ( ar, سُورِيَا, ''Sūriyā''), officially the Syrian Arab Republic ( ar, ٱلْجُمْهُورِيَّةُ ٱلْعَرَبِيَّةُ ٱلسُّورِيَّةُ, al-Jumhūrīyah al-ʻArabīyah as-Sūrīyah), is a country in ...
n President
Bashar al-Assad
Bashar al-Assad
. Using
spamming An email inbox containing a large amount of spam messages Spamming is the use of messaging systems to send multiple unsolicited messages (spam) to large numbers of recipients for the purpose of commercial advertising Advertising is a marke ...
, website defacement,
malware Malware (a portmanteau for malicious software) is any software intentionally designed to cause damage to a computer, server, client, or computer network A computer network is a group of computers that use a set of common communicatio ...
phishing Phishing is the fraudulent attempt to obtain sensitive information or data, such as usernames, passwords, credit card A credit card is a payment card issued to users (cardholders) to enable the cardholder to pay a merchant for goods and ...
, and
denial-of-service attack In computing Computing is any goal-oriented activity requiring, benefiting from, or creating computing machinery. It includes the study and experimentation of algorithmic processes and development of both computer hardware , hardware and soft ...
s, it has targeted terrorist organizations, political opposition groups, western news outlets, human rights groups and websites that are seemingly neutral to the Syrian conflict. It has also hacked government websites in the
Middle East The Middle East is a list of transcontinental countries, transcontinental region in Afro-Eurasia which generally includes Western Asia (except for Transcaucasia), all of Egypt (mostly in North Africa), and Turkey (East Thrace, partly in So ...

Middle East
and Europe, as well as US defense contractors. the SEA has been "the first Arab country to have a public Internet Army hosted on its national networks to openly launch cyber attacks on its enemies". The precise nature of SEA's relationship with the Syrian government has changed over time and is unclear.

Origins and historical context

In the 1990s Syrian President
Bashar al-Assad
Bashar al-Assad
headed the Syrian Computer Society, which is connected to the SEA, according to research by University of Toronto and University of Cambridge, UK. There is evidence that a Syrian Malware Team goes as far back as January 1, 2011. In February 2011, after years of Internet censorship, Syrian censors lifted a ban on Facebook and YouTube. In April 2011, only days after anti-regime protests escalated in Syria, Syrian Electronic Army emerged on Facebook. On May 5, 2011 the Syrian Computer Society registered SEA’s website (syrian-es.com). Because Syria's domain registration authority registered the hacker site, some security experts have written that the group was supervised by the Syrian state. SEA claimed on its webpage to be no official entity, but "a group of enthusiastic Syrian youths who could not stay passive towards the massive distortion of facts about the recent uprising in Syria". As soon as May 27, 2011 SEA had removed text that denied it was an official entity. One commentator has noted that "[SEA] volunteers might include Syrian diaspora; some of their hacks have used colloquial English and Reddit memes. According to a 2014 report by security company Intelcrawler, SEA activity has shown links with "officials in Syria, Iran, Lebanon and Hezbollah." A February 2015 article by ''The New York Times'' stated that "American intelligence officials" suspect the SEA is "actually Iranian". However, no data has shown a link between Iran's and Syria's cyber attack patterns according to an analysis of "open-source intelligence" by cyber security firm Recorded Future.

Online activities

SEA has pursued activities in three key areas: *Website defacement and electronic surveillance against Syrian rebels and other opposition: The SEA has carried out surveillance to discover the identities and location of Syrian rebels, using
malware Malware (a portmanteau for malicious software) is any software intentionally designed to cause damage to a computer, server, client, or computer network A computer network is a group of computers that use a set of common communicatio ...
(including the Blackworm tool),
phishing Phishing is the fraudulent attempt to obtain sensitive information or data, such as usernames, passwords, credit card A credit card is a payment card issued to users (cardholders) to enable the cardholder to pay a merchant for goods and ...
, and denial of service attacks. this electronic monitoring has extended to foreign aid workers. *Defacement attacks against Western websites that it contends spread news hostile to the Syrian government: These have included news websites such as BBC News, the Associated Press, National Public Radio, CBC News, Al Jazeera, ''Financial Times'', ''The Daily Telegraph'', ''The Washington Post'', Syrian satellite broadcaster Orient TV, and Dubai-based al-Arabia TV,"Syrian Electronic Army: Disruptive Attacks and Hyped Targets"
OpenNet Initiative, 25 June 2011
as well as rights organizations such as Human Rights Watch. SEA targets include VoIP apps, such as Viber and Tango (software), Tango. *Spamming popular Facebook pages with pro-regime comments: The Facebook pages of President Barack Obama and former French President Nicolas Sarkozy have been targeted by such spam campaigns.Sarah Fowle
"Who is the Syrian Electronic Army?"
BBC News, 25 April 2013
*Global cyber espionage: "technology and media companies, allied military procurement officers, List of US defense contractors, US defense contractors, and foreign attaches and embassies". The SEA's tone and style vary from the serious and openly political to ironic statements intended as critical or pointed humor: SEA had "Exclusive: Terror is striking the #USA and #Obama is Shamelessly in Bed with Al-Qaeda" tweeted from the Twitter account of ''60 Minutes'', and in July 2012 posted "Do you think Saudi and Qatar should keep funding armed gangs in Syria in order to topple the government? #Syria," from Al Jazeera's Twitter account before the message was removed. In another attack, members of SEA used the BBC Weather Channel Twitter account to post the headline, "Saudi weather station down due to head on-collision with camel." After ''Washington Post'' reporter Max Fisher called their jokes unfunny, one hacker associated with the group told a ''Vice (magazine), Vice'' interview 'haters gonna hate.'"

Operating system

On 31 October 2014, the SEA released a Linux distribution named SEANux.

Timeline of notable attacks

;2011 * July 2011: University of California Los Angeles website defaced by SEA hacker "The Pro". * September 2011: Harvard University website defaced in what was called the work of a "sophisticated group or individual". The Harvard homepage was replaced with an image of Syrian president Bashar al-Assad with the message "Syrian Electronic Army Were Here". ;2012 * April 2012: The official blog of social media website LinkedIn was redirected to a site supporting Bashar al-Assad. * August 2012: The Twitter account of the Reuters news agency sent 22 tweets with false information on the conflict in Syria. The Reuters news website was compromised, and posted a false report about the conflict to a journalist's blog. ;2013 * 20 April 2013: The Team Gamerfood homepage was defaced."Team Gamerfood website defaced by SEA
, ''TeamGamerfood.com'', 20 April 2013
* 23 April 2013: The Associated Press Twitter account falsely claimed the White House had been bombed and President Barack Obama injured. This led to a US$136.5 billion decline in value of the S&P 500 the same day.Spillus, Ale
"Who is the Syrian Electronic Army?"
''The Telegraph'', 24 April 2013
* May 2013: The Twitter account of ''The Onion'' was compromised by
phishing Phishing is the fraudulent attempt to obtain sensitive information or data, such as usernames, passwords, credit card A credit card is a payment card issued to users (cardholders) to enable the cardholder to pay a merchant for goods and ...
Google Apps accounts of ''The Onion''s employees."How the Syrian Electronic Army Hacked The Onion
, Tech Team, ''The Onion'', 8 May 2013
* 24 May 2013: The ITV News London Twitter account was hacked. *On 26 May 2013: the Android applications of British broadcaster Sky News were hacked on Google Play Store. * 17 July 2013: Truecaller servers were hacked into by the Syrian Electronic Army. The group claimed on its Twitter handle to have recovered 459 GiBs of database, primarily due to an older version of WordPress installed on the servers. The hackers released Truecaller's alleged database host ID, username, and password via another tweet. On 18 July 2013, TrueCaller confirmed on its blog that only their website was hacked, but claimed that the attack did not disclose any passwords or credit card information. * 23 July 2013: Viber servers were hacked, the support website replaced with a message and a supposed screenshot of data that was obtained during the intrusion. * 15 August 2013: Advertising service Outbrain suffered a spearphishing attack and SEA placed redirects into the websites of The Washington Post, Time, and CNN. * 27 August 2013: NYTimes.com had its DNS redirected to a page that displayed the message "Hacked by SEA" and Twitter's domain registrar was changed. * 28 August 2013: Twitter's DNS registration showed the SEA as its Admin and Tech contacts, and some users reported that the site's Cascading Style Sheets (CSS) had been compromised. * 29–30 August 2013: ''The New York Times'', ''The Huffington Post'', and Twitter were knocked down by the SEA. A person claiming to speak for the group stepped forward to tie these attacks to the increasing likelihood of U.S military action in response to al-Assad using chemical weapons. A self-described operative of the SEA told ABC News in an e-mail exchange: "When we hacked media we do not destroy the site but only publish on it if possible, or publish an article [that] contains the truth of what is happening in Syria. ... So if the USA launch attack on Syria we may use methods of causing harm, both for the U.S. economy or other." * 2–3 September 2013: Pro-Syria hackers broke into the Internet recruiting site for the US Marine Corps, posting a message that urged US soldiers to refuse orders if Washington decides to launch a strike against the Syrian government. The site, www.marines.com, was paralyzed for several hours and redirected to a seven-sentence message "delivered by SEA". * 30 September 2013: The Global Post's official Twitter account and website were hacked. SEA posted through their Twitter account, "Think twice before you publish untrusted informations ''[sic]'' about Syrian Electronic Army" and "This time we hacked your website and your Twitter account, the next time you will start searching for new job" * 28 October 2013: By gaining access to the Gmail account of an Organizing for Action staffer, the SEA altered shortened URLs on President Obama's Facebook and Twitter accounts to point to a 24-minute pro-government video on YouTube. * 9 November 2013: SEA hacked the website of VICE, a no-affiliate news/documentary/blog website, which has filmed numerous times in Syria with the side of the Rebel forces. Logging into vice.com redirected to what appeared to be the SEA homepage. * 12 November 2013: SEA hacked the Facebook page of Matthew VanDyke, a 2011 Libyan Civil War, Libyan Civil War veteran and pro-rebel news reporter. ;2014 * 1 January 2014: SEA hacked Skype's Facebook, Twitter and blog, posting an SEA related picture and telling users not to use Microsoft's e-mail service Outlook.com —formerly known as Hotmail—claiming that Microsoft sells user information to the government. * 11 January 2014: SEA hacked the Xbox Support Twitter pages and directed tweets to the group's website. * 22 January 2014: SEA hacked the official Microsoft Office Blog, posting several images and tweeted about the attack. * 23 January 2014: CNN's HURACAN CAMPEÓN 2014 official Twitter account showed two messages, including a photo of the Syrian Flag composed of binary code. CNN removed the Tweets within 10 minutes. * 3 February 2014: SEA hacked the websites of eBay and PayPal UK. One source reported the hackers said it was just for show and that they took no data. * 6 February 2014: SEA hacked the DNS of Facebook. Sources said the registrant contact details were restored and Facebook confirmed that no traffic to the website was hijacked, and that no users of the social network were affected. * 14 February 2014: SEA hacked the Forbes website and their Twitter accounts. * 26 April 2014: SEA hacked the information security-related RSA Conference website. * 18 June 2014: SEA hacked the websites of British newspapers ''The Sun (United Kingdom)'' and ''The Sunday Times''. * 22 June 2014: The Reuters website was hacked a second time and showed a SEA message condemning Reuters for "publishing false articles about Syria". Hackers compromised the website, corrupting ads served by Taboola. * 27 November 2014: SEA hacked hundreds of sites through hijacking Gigya's comment system of prominent websites, displaying a message "You've been hacked by the Syrian Electronic Army(SEA)." Affected websites included the ''Aberdeen Evening Express'', Logitech, Forbes, ''The Independent'' UK Magazine, ''London Evening Standard'', ''The Daily Telegraph, The Telegraph'', NBC, the National Hockey League, Finishline.com, PCH.com, Time Out New York and t3.com (a tech website), stv.com, Walmart Canada, PacSun, ''Mail Online, Daily Mail'' websites, bikeradar.com (cycling website), SparkNotes, millionshort.com, Milenio.com, Mediotiempo.com, Todobebe.com and myrecipes.com, Biz Day SA, BDlive South Africa, muscleandfitness.com, and CBC News. ;2015 * 21 January 2015: French newspaper ''Le Monde'' wrote that SEA hackers "managed to infiltrate our publishing tool before launching a denial of service". ;2018 *17 May 2018: Two suspects were indicted by the United States for "conspiracy" for hacking several US websites.

See also

* Advanced persistent threat * Hacktivism * Internet censorship in Syria * PLA Unit 61398 * Tailored Access Operations


External links

old accountYoutube ChannelPinterest profile of the Syrian Electronic ArmyVK profile of the Syrian Electronic Army
syrianelectronicarmy.com, first SEA website
which was later redirected to its .sy replacement
SEA's newer website, which SEA started in late May 2013; it has its access revoked by the Syrian Computer Society (site displays blank loading page on browser, and widget returns "ERROR 403: Forbidden" as of August 2013)
The Emergence of Open and Organized Pro-Government Cyber Attacks in the Middle East: The Case of the Syrian Electronic Army
Helmi Noman, May 30, 2011, published by Information Warfare Monitor, a public-private partnership between University of Ottawa and Secdev Group, including screenshots of SEA activities. *
google cache of an SEA website
mentioned in Information Warfare Monitor report citing syrian.es.sy@gmail.com as a contact address and links to a Facebook page called SEA.Vic0r.2 a
Vict0r Battalion - Syrian Electronic Army
The page is no longer available as of September 2013.
Understanding the Syrian Electronic Army (SEA)
HP-Security Research Blog
Syrian Cyber Hackers Charged - Two From ‘Syrian Electronic Army’ Added to Cyber’s Most Wanted
(FBI) {{Hacking in the 2010s Organizations of the Syrian civil war Paramilitary organizations based in Syria Cyberwarfare Hacker groups Information operations and warfare Propaganda organizations Saboteurs