On Friday, the Syrian Electronic Army, a hacker group that supports the regime of Syrian President Bashar al-Assad, continued its pattern of attacking major western media companies. This time, they hacked Vice.com, removing several copies of an article about the SEA and posting a message revealing the reason for the attack.
The SEA tweeted a screenshot of what appears to be Vice’s content management system as proof of the hack. The name of a U.K.-based Web developer is easily identifiable in the image. The SEA later confirmed to The Daily Dot that the developer’s account had been compromised and used to gain access to the site.
The message the SEA added to the site, titled “Syrian Electronic Army Was Here,” was accessible for over an hour before it was taken down. It alluded to an article published in August by Senior Editor Brian Merchant, which allegedly revealed the identity of an SEA ringleader. Immediately after Merchant’s article was published, the SEA threatened to take down Vice’s website.
Obviously, the hackers weren’t bluffing.
The SEA has repeatedly claimed that the person Merchant named isn’t part of their group, just a close friend who at some point had registered domains on their behalf. At the time, Merchant’s article was controversial—naming a member of the SEA, some argued, would mark that person for assassination by the Free Syrian Army.
The SEA had routinely targeted the websites and social media accounts of corporate news agencies, but these actions were viewed by many as hacktivism--embarrassing for the companies whose accounts were compromised, but not particularly harmful. After hacking the Twitter account of the Associated Press, the SEA used the account to fabricate news about an explosion at the White House that injured President Obama. High-frequency trading bots reacted to the false news, causing a short-lived $136 billion drop in the Dow Jones.
During a separate Vice interview with the SEA, published concurrently with Merchant’s article, the hackers admitted for the first time that they were operating on behalf of the Syrian government. According to Th3Pr0—the hacker who claimed responsibility for hacking Vice—the websites Viber.com, Tango.me, and TrueCaller.com were all hacked, and information about their users was provided to the Assad regime.
By publicly admitting its affiliation with the Assad regime, the SEA acknowledged its departure from the sphere of hacktivism and into the realm of military intelligence. According to Th3Pr0, the SEA targeted websites used by “terrorists” (a term frequently used by the group to describe members of the Free Syrian Army) and identified these individuals to the Assad government in the midst of a civil war.
But the three websites the SEA named are not used exclusively by Syrians. If he hacker’s claims are legitimate, information identifying citizens of foreign nations may have been also delivered to the Assad regime. The following week, the FBI placed the SEA on an unclassified advisory list.
Following the attack against Vice's website, the Daily Dot spoke to a member of the SEA on Twitter, in English and without the help of a translator.
According to the hacker, a version of Merchant’s article was still visible, but he claimed, “It will be down if they cleared the website cache.” At time of writing, the article was still available.
Asked to confirm that they had compromised the email account of a U.K. Web developer who worked for Vice, they responded, “Emails, not just one email. One of them belong to a developer of the website and he have full access to it.”
When asked if their response indicated that they had compromised multiple accounts, they responded, “True.”
According to E Hacking News, the SEA also claims to have hacked into Vice’s account on Mailchimp, a service used to manage email lists, and sent mail to approximately 33,000 subscribers. It wasn’t clear if this was a massive phishing attempt or if the email was used solely for propaganda purposes.
A statement by the SEA indicates that the Vice website may have been compromised as early as two months ago. When asked why they didn’t immediately hack the site following the publication of Merchant’s article, the SEA replied, “We did hacked them when they published the article, but they were aware, that's why we postpone the attack. We were watching them.”
When pressed for a more specific timeline of when the actual hack took place, the SEA told the Daily Dot, “2 days after they published the article.”
Screengrab via Vice (remix by Fernando Alfonso III)