How the infamous hacking group compromised the email accounts of several high-profile Syrian dissidents, including a rebel General.
On November 19, 2013, Dan Layman was on the phone with the FBI when he received a weird email.
"We are watching you," read a message from the fake address firstname.lastname@example.org. "No one will help you. You are all going down."
Layman had just been hacked.
As it turns out, Layman was just one of the victims of an espionage campaign led by the Syrian Electronic Army (SEA), the infamous hacking group that has breached companies such as Microsoft, the Associated Press, CNN, and others.
The hacking campaign, launched at the end of 2013 but kept secret until now, hit various high-profile people in the Syrian opposition, including people in Syria, such as Salim Idris, a former army general who became the chief of staff of the Supreme Military Council (SMC) of the Free Syrian Army.
The group claims to have hacked seven people during the operation. Thanks to screenshots shared by the SEA and interviews with the victims, Motherboard has been able to confirm that at least three of them were effectively compromised. But there's a chance more also fell victim to the operation.
While the SEA has largely collected headlines for run-of-the-mill hacks on media companies, the email hacking campaign lends credence to the long-held theory that the SEA acted as spying group for the government of Syrian President Bashar al-Assad.
"If this is correct, it nuances the picture about how the SEA's activities have diversified," John Scott-Railton, a researcher at the Citizen Lab in Toronto who's done extensive research regarding cybersecurity in Syria, told Motherboard. "At various times they might have been quietly hacking to collect information in the service of the regime."
Layman can't remember how it happened. Perhaps he clicked a phishing email, or perhaps he got tricked by a spoofed login page. A member of the SEA told Motherboard that they simply bruteforced Layman's "easy and weak" passwords.
Either way, the SEA had control of his email account.
As the spokesperson of the Syrian Support Group (SSG), a high profile US-based advocacy group that supported the country's main rebel force, the Free Syrian Army, Layman was a great jumping point to try to hack other more high-value targets. (The SSG shut down in the summer of 2014.)
The SEA had control of his email account.
Indeed, the hackers were using his account to try to get into some of his colleagues' accounts, sending phishing messages that had a higher chance of being successful since they came from Layman's real address.
Layman, however, says that other than him, no one else at the SSG got compromised.
"They're blowing smoke up your ass," he told me.
But evidence obtained by Motherboard suggests otherwise, and it's possible other members of SSG fell victims to the SEA too.
Either way, by gaining access to Idris and other dissidents' email accounts, the hackers were able to see their correspondence, and collect potentially valuable intelligence.
Motherboard has reviewed a series of screenshots of some of the information that the SEA claims to have gathered from the dissidents' email accounts.
Some of it appears to be sensitive, such as a photo of Idris's passport, or the names of SSG collaborators in Syria. There are also exchanges with government officials, such as an email with several US State Department members, or an email discussion with a UK Foreign and Commonwealth Office representative about negotiations regarding military assistance. Other stuff seems more innocent, like press releases or emails discussing well-known legislative proposals in the US.
"We were watching their moves. And what they were planning."
"We were watching their moves," an SEA member known as Th3 Pr0 told Motherboard. "And what they were planning."
Th3 Pr0 said that they passed on all the intelligence they were able to gather to the Syrian government through "a channel." The hacker wasn't able to specify any interesting data he and his group collected—"I don't remember, really," he said—but he claimed to have pilfered "several military plans."
None of the screenshots and documents Th3 Pr0 shared with Motherboard prove conclusively that the group obtained military secrets, but it seems that they got their hands on some sensitive communications.
Last week, I showed Layman an email exchange between Mazen Asbahi, another alleged victim who was the president of the SSG, and four State Department officials. The email was a request for gear and equipment to be sent to the Syrian rebels, and also included a list of the supplies in an attached PDF.
"[That's] a little spooky," he told Motherboard. "That was sensitive information."
Layman said that by accessing his email account alone, the SEA potentially got their hands on information such as SSG project proposals, or details on shipments of equipment to Syria, including their recipients and routes, potentially giving the Syrian government a chance to disrupt or intercept them.
However, Layman added, no one "would have been put in danger."
But more in general, Layman said, the SEA "would've known the things that we know."
Louay Almokdad, the former spokesperson for the Free Syrian Army, confirmed to Motherboard that both he and Idris were among the victims of the SEA hacking operations. Almokdad, however, denied that the hackers got anything useful out of it.
"There is nothing sensitive in the mails. Nothing at all."
"It's all lies," he said in a phone interview from Istanbul, Turkey. "There is nothing sensitive in the mails. Nothing at all."
"If the story is just that they succeeded in hacking Salim Idris's email?" he added, laughing, "We'll give them bonus. Bravo!"
Th3 Pr0 explained that using Almokdad's email, they successfully phished Idris, and showed screenshots of Idris's Yahoo email account, and even shared his purported password.
Another person that the SEA claimed to hack is Oubab Khalil, the chief of staff for the Syrian Opposition Coalition's office in Washington, DC.
"I have not known about this before, that's like the first time [I've heard] about this," Khalil told Motherboard when he learned about the SEA's allegations. Yet he seemed unfazed.
"If they have access, they have access." he said. "I'm one of the people that usually—usually—doesn't do anything that sensitive through their emails."
The SEA claims to have also hacked into the email accounts of Louay Sakka, founder of the SSG; Mazen Asbahi, the former president of the SSG; and Oubai Shahbandar, a former Pentagon analyst and an advisor to the Syrian Opposition Coalition.
Other than the obvious prize of Idris's email address, it's Shahbandar that the hackers were happier to hit, because, as Th3 Pr0 claimed, "he is an American agent." When asked what he meant by that, Th3 Pr0 simply sent a series of military (.mil) email addresses purporting to belong to Shahbandar.
"He used all of them, and redirect some emails from them to his Gmail account," Th3 Pr0 said.
But Shahbandar told Motherboard that his email was never compromised, and when I told him about the military email addresses, he said, "Amusing, for Iranian lap dogs to cast that stone."
Shahbandar declined to elaborate, but he was probably referring to rumors that the SEA has been founded, and perhaps even funded, by Iran.
Other than the hacks of Layman, Idris, and Almokdad, Motherboard wasn't able to confirm whether anyone else got compromised, given that some of the screenshots the SEA showed could have been fabricated.
"Amusing, for Iranian lap dogs to cast that stone."
Yet it's possible that after compromising Layman, the SEA was able to trick someone else, perhaps some of the victim's contacts, into clicking on a phishing link.
Layman said the SEA had access to his account only for around six hours. But that's more than enough time to download all the account's old emails, which was the SEA modus operandi. Once they had access to the account, they'd use the email client Thunderbird to login and download all the emails to their computers, Th3 Pr0 said.
That's also enough time to send out a lot of phishing emails, though at that point Layman was trying to warn others of the hack and telling them not to click on any link.
"We're being full on hacked here," Layman wrote in an email (pictured above) to 12 of his colleagues.
The email, which Layman confirmed to be true, shows hints of how the SEA hacked him and perhaps others. In the message, Layman referred to a phishing email "appearing to be" from him, containing what looked like a YouTube link, and also said that the SEA may have compromised the computer of another member of the SSG, this one living in Syria. (We're withholding his name to protect his identity.)
"Again, do not open that link," Layman wrote. "These Abna2 Aklab in SEA have finally found us!" ("Abna2 Aklab" is a transliterated reference to an Arabic expression that means "sons of dogs.")
"We're being full on hacked here. [...] The SEA have finally found us!"
In the following months after he was able to regain control of his account, Layman said, he was extra cautious when sending emails to his colleagues. For example, when he sent a link, he used to also text the person to verify that the email wasn't a phishing attempt from the SEA.
"That was our standard operating procedure for a couple of months after to make sure we wouldn't get hacked again," he said.
But at that point, according to Layman, the SEA never successfully hit back. They did try, as evidenced by a series of screenshots that Layman shared with Motherboard, such as the one below.
Th3 Pr0, however, claims that they kept access to the victim's email accounts for a long time, from a couple of months for two of the targets to a year and a half in the case of Idris. The hacker, however, wasn't able to provide any evidence to back up this claim. And Almokdad denied that the breach on his account and that on Idris lasted that long.
Regardless, even if they only gained access for a short time, these hacks are a victory for the SEA in the propaganda war that runs parallel to the bloody conflict in Syria. Even if they didn't get any real, damaging intelligence out of it, this operation shows that Syrian dissidents should be careful when using online communications.
"The same tools that empower communications, are also an Achilles heel for security."
"If true, these claims highlight the ease with which attackers have used social engineering against the opposition since the beginning of the conflict," said Scott-Railton, the Citizen Lab researcher. "It is a reminder of the vulnerabilities faced by a geographically distributed opposition movement that is so dependent on commercial and free communications products."
In other words, the internet and social media, which for some were supposed to be a tool for overthrowing dictators, were exploited by hackers at the service of those very same dictators.
"The same tools that empower communications," he added, "are also an Achilles heel for security."