In Syria, the crackdown on the streets has been mirrored by tumult on Facebook. Pages supporting the protesters have been hacked, and a shadowy group calling itself the Syrian Electronic Army has used Facebook to coordinate its attacks.
Helmi Noman, a researcher with the OpenNet Initiative, has been monitoring the Syrian Electronic Army. He told IEEE Spectrum that he first noticed the group on Facebook a few weeks ago (its profile image is pictured), and he has been watching since then as the group stages attacks and opens new channels of communication. The group recently started a website, a Twitter feed, and a YouTube channel.
Noman says the Syrian Electronic Army claims to be a volunteer, civilian effort. "The group says on its Web site that it is not an 'official entity' but rather a group of young people who love Syria and want to serve the country by 'attacking back those who have attacked Syria,'" says Noman.
Hacking the Revolution
On Facebook, the group has played a cat-and-mouse game with site administrators. According to Noman, the group has created 11 pages thus far, opening a new page each time Facebook shuts one down. (As of this writing, version 11 is up and running.) Noman says the earliest versions of the group's page directed followers to file-sharing websites where they could download DDOS and hacking software applications, and encouraged them to hack oppositional Facebook pages and websites.
Presumably, Facebook has been shutting down the Syrian Electronic Army's pages because the group violates terms of service--it used the pages to engage in unlawful and malicious behavior, namely hacking. We asked Facebook to comment on this situation, but got no reply to our inquiries.One Facebook page that was hacked in the last few weeks, Noman says, is titled Syrian Revolution 2011 (its profile pic is at right). It's not clear whether the Syrian Electronic Army had a role in that hack, but the attack did get a lot of attention. In a blog post for OpenNet Initiative, Noman writes about an editorial in a Syrian government newspaper that complained about Facebook's disparate treatment of the Electronic Army's page and the dissident page:
The editorial also accused [Facebook] of having double standards because it allegedly shut down pages belonging to the Syrian Electronic Army without any justification or prior notice. The paper added that Facebook has restored a page for the “so called Syrian revolution after it was hacked and deleted by a Syrian University engineering student.”
Speaking to Oprah Fans
The Syrian Electronic Army also encourages its followers to spread the governmental love via Facebook. As Noman told IEEE Spectrum: "The group calls its members to collectively write pro-Syrian regime comments on popular Facebook pages such as that of Oprah Winfrey 'as a way to reach out to, and influence the American public opinion.'"
Yep, you read that right. Even the Syrian Electronic Army wants to get on Oprah. Judging from the current state of Oprah's page, that mission may have come to a close, but here's a screenshot of a typical comment on her wall from a few weeks back:
Last week the army appears to have moved on to the European Parliament's Facebook page. The page's administrators declared that they had been hit by a massive spam attack, which further annoyed the army's followers:
Messing With Random British Towns
As if all that activity wasn't enough, the Syrian Electronic Army has reportedly moved its mischief beyond Facebook and into the wider Web.
The YouTube video below, which Noman says was made by the Syrian Electronic Army, documents the hacking and defacement of several British towns' websites. How and why the hackers targeted the Royal Leamington Spa Town Council and the Bournemouth & Poole Borough Council may remain one of the mysteries of our age.
The Syrian Electronic Army may not be the only pro-government faction meddling with Facebook's operations in Syria. In early May, mysterious forces staged a man-in-the-middle attack, where Facebook users who attempted to log in to their accounts were redirected to a fake Facebook login page. This allowed the attackers to harvest logins and passwords, giving them the ability to monitor and control those accounts. The attack targeted Facebook's encrypted HTTPS version, and made use of forged security certificates.
The Facebook users who first publicized this attack believed that it was carried out by the Syrian Telecom Ministry, but there has been no confirmation of that. Peter Eckersley of the Electronic Frontier Foundation noted in a blog post that the attack was easy to spot, and seemed like an amateur attempt.
The attack is not extremely sophisticated: the certificate is invalid in user's browsers, and raises a security warning. Unfortunately, because users see these warnings for many operational reasons that are not actual man-in-the-middle attacks, they have often learned to click through them reflexively. In this instance, doing so would allow the attackers access to and control of their Facebook account.