FBI Identifies, Charges Alleged Syrian Electronic Army Hackers

If you can find the two suspects in Syria, it'll pay you $200,000

(Illustration: Diana Quach)
Mar 22, 2016 at 7:43 PM ET

Almost three years after hijacking the Twitter accounts of some of the biggest news organizations in the world, the Syrian Electronic Army hacking group has finally been charged by the FBI.

Three alleged members of the SEA, a group with loose ties to the Syrian government and which pledges explicit loyalty to President Bashar al-Assad, have been charged with a litany of computer crimes and money laundering. Two in particular, Ahmad Umar Agha, 22, and Firas Dardar, 27, have been charged with attempting to cause mutiny of the U.S. armed forces. Another, Peter Romar, 36, has been charged with multiple conspiracies related to extortion and money laundering. In 2013, the SEA defaced the Marines website with messages like “Marines, please take a look at what your comrades think about Obama’s alliance with Al Qaeda against Syria. Your officer in charge probably has no qualms about sending you to die against soldiers just like you.”

The FBI has also added Agha and Dardar to its “Cyber’s Most Wanted” list, a list of its top 10 targets for computer-related crimes, and has offered $100,000 for information that directly leads to the arrest of either.

During a months-long spree in 2013, the SEA took over the social media accounts of a host of media outlets, including those belonging NPR, the Guardian, the BBC and Al Jazeera. As a rule, they gained access via relatively unsophisticated attacks, accomplished by tricking an employee of each organization with a spear phishing tactic—sending them a fake email that appears to be from a colleague, with a link that asks users to share their login information. It wreaked the most havoc on April 23, 2013, when it assumed control of the Associated Press’s main Twitter account and posted “Breaking: Two Explosions in the White House and Barack Obama is injured.” Though the AP quickly regained control, the stock market dropped sharply, if temporarily, a fact the SEA celebrated as a victory.

Later that year, according to FBI testimony included in the complaint against Dardar and Romar, the group moved to quieter but richer targets, convincing Web companies they’d been hacked and demanding a ransom. They were skilled at convincing website administrators to pay up, the FBI said, but heavy sanctions against wiring money to Syria hampered their ability to collect.

Romar, the FBI says, resides in Germany, while Agha and Dardar are still in Syria.

Vocativ reached out to four SEA email addresses that were active during the group’s heydey. Two accounts are no longer active. The other two, which reference Agha and Dardar’s respective nicknames of “The Pro” and “The Shadow,” did not respond to request for comment. Another email address, believed to belong to Romar, also did not respond.