The Syrian Electronic Army has made quite a name for itself over the last year. Browse The New Yorker‘s list of its hacks and you can see why. Targets have included a dozen of the world’s best-known media brands — from The Washington Post and The Guardian to Al Jazeera, the BBC, CNN and even The Onion — with steadily increasing technical sophistication and impact.
The media notices when the media itself is the target.
The latest attack was on the New York Times this week, via a security breach at Australian company Melbourne IT. Taking over a media organisation’s Twitter account or temporarily defacing a website isn’t anything new. We’ve seen all that from Anonymous, LulzSec and a bunch of less well-known predecessors. But what the SEA has brought to the table is discipline of a kind that merits the label “army”, rather than “hacktivist” or “collective”.
The SEA has focused on a clear mission: to support embattled Syrian President Bashar al-Assad — and of course it seems to have support from his regime.
The SEA has chosen targets strategically: Western media outlets to grab attention; online tools used by elements the SEA sees as rebels, to disrupt their communications; and, it’s believed, many targets within Syria that outsiders simply aren’t aware of.
The SEA is steadily improved its techniques, and attacks have moved beyond mere website defacements and propaganda tweets. When the SEA took over the Associated Press Twitter feed in April, it issued a false report of explosions at the White House injuring President Barack Obama — causing the Dow Jones to drop 150 points. That could have been engineered into a massive sharemarket fraud, had such a thing been planned in advance. One day it surely will be.
And this week the SEA hit The New York Times — not directly, but by manipulating some of the third-party infrastructure the Times site relies upon. It was down for hours. Given The New York Times Media Group’s annual revenue of a shade under US$1.6 billion, the financial impact must surely be measured in the millions.
The Times‘ chief information officer has characterised that infrastructure attack as “like breaking into Fort Knox”. It isn’t really. Sure, service providers such as domain name registrar Melbourne IT do take security seriously. But if someone logs in with a valid username and password, that person will gain control — and tricking someone into handing over the password (or infecting a computer so you can log every keystroke someone types and learn it that way) through a spearphishing attack targeted at specific individuals is all too easy.
“Will attackers continue to focus on enterprise and government targets, or … focus on the myriad soft targets of individuals?”
But what is clever is choosing to attack via infrastructure providers, because that opens up the potential to disrupt many more organisations at once.
Over the last two years, we’ve heard all about the “cyber-espionage” threat, particularly in relation to a large east Asian nation — slow, covert operations that attempt to avoid detection. We know they’re happening, although there’s still some disagreement about the scope.
We’ve also heard about “cyber-warfare” operations that might take out critical infrastructure such as electricity grids, transport or military targets. We know “cyber-weapons” are being developed, although there’s still some disagreement about their potential effectiveness. We’ve also seen the rise of well-organised transnational cybercrime.
What the SEA represents is something that we haven’t seen before — at least not with this scale and scope — and that’s an overt, coherently run operation that blends propaganda and disruption for political aims. Something well short of warfare, but that’s still “politics by other means” and that causes real pain. And the SEA is probably a mere precursor to much better-funded, more sophisticated and far more dangerous groups to come — run by or in support of national-scale organisations, or maybe something else.
In Sydney last week, IT research and advisory firm Gartner presented its five-year vision for the future of global information security — four potential scenarios that might or might not unfold.
Will attackers continue to focus on enterprise and government targets, or will the development of cheap, automated hacking tools lead them to focus on the myriad soft targets of individuals? Will the defensive response be driven in a centralised, monolithic way, or will it be more fragmented, in a community or even tribal fashion?
The resulting scenarios, Gartner says, range from a massively increased surveillance society cracking down on a criminalised underground “darknet” to a chaotic global battle between self-forming cyber-militias and extreme anarcho-hacktivist groups that governments simply can’t control, and others.
Whichever way things go, one underlying fact will always be true. In the US, there are already more than 100 university degree-level courses in “white hat” hacking techniques, funded by the National Security Agency and the Department of Homeland Security. Similar programs operate in the UK. In Israel, every high school student will get cyber-security training before their compulsory military service. China is also a major player.
Even if 90% of all these professionally trained hackers continue to wear a white hat, it’s clear that there’ll still be plenty of scope for complex global mischief. This is only the beginning.