The high-profile Web site defacement and hacker group known as the Syrian Electronic Army (SEA) continues to deny that its own Web server was hacked, even as gigabytes of data apparently seized during the compromise leaked onto the Deep Web this weekend.
Following a string of high profile attacks that compromised the Web sites of The New York Times and The Washington Post among others, many publications have sought to discover and spotlight the identities of core SEA members. On Wednesday, this blog published information from a confidential source who said that the SEA’s Web site was hacked and completely compromised in April 2013. That post referenced just a snippet of name and password data allegedly taken from the SEA’s site, including several credential pairs that appeared tied to a Syrian Web developer who worked with the SEA.
The SEA — through its Twitter accounts — variously denounced claims of the hack as a fraud or as a propaganda stunt by U.S. intelligence agencies aimed at discrediting the hacker group.
“We can guarantee our website has never been hacked, those who claim to have hacked it should publish their evidence. Don’t hold your breath,” members of the group told Mashable in an interview published on Friday. “In any case we do not have any sensitive or personal data on a public server. We are a distributed group, most of what we have and need is on our own machines and we collaborate on IRC.”
In apparent response to that challenge, a huge collection of data purportedly directly taken from the SEA’s server in April 2013 — including all of the the leaked credentials I saw earlier — was leaked today to Deep Web sites on Tor, an anonymity network. Visiting the leak site, known as a “hidden service,” is not possible directly via the regular Internet, but instead requires the use of the Tor Browser.
Among the leaked screen shots at the hidden Web site include numerous apparent snapshots of the SEA’s internal blog infrastructure, the Parallels virtual private server that powered for its syrian-es[dot]com Web site, as well as what are claimed to be dozens of credential pairs for various SEA member Twitter and LinkedIn accounts.
News of the archive leak to the Deep Web was first published by the French publication reflects.info (warning: some of the images published at that link may be graphic in nature). As detailed by the French site, the leak archive includes hundreds of working usernames and passwords to various Hotmail, Outlook and Gmail accounts, as well as more than six gigabytes of email messages downloaded from those accounts.
SEA LEADERS IDENTIFIED?
One of the more interesting screen shots in the leak archive is an image showing the email address listed in the “contact email” field of the back-end administration page for syrian-es[dot]com: The email listed — “email@example.com” — appears to dovetail with a name mentioned in multiple recent media reports about the identities of the alleged SEA ringleaders.
On Thursday, Vice.com published a story linking a top SEA member — who uses the screen name Th3Pr0 — to a Syrian named Hatem Deeb. Vice published a picture from a Facebook account thought to belong to Deeb, but later removed that photo, saying it had information suggesting that Deeb was in fact another Syrian native who currently resides in St. Petersburg, Russia.
On Friday evening, NBC News unearthed a 2011 story published by a Syrian government-run newpaper al-Wenda, which identified and praised the leaders of the SEA. The al-Wenda piece specifically praised Deeb as a teenager, and as a “founding member” of the SEA. Another student, Ali Farha was later mentioned in another Syrian publication as the “manager” of the SEA website. Interestingly, Farha’s purported Facebook page indicates that he and Deeb are roughly the same age and attended the same technical school in western Syria — the University of Kalamoom.
Also reportedly leaked are the entire contents of the SEA web site’s core server, including a file showing a history of all text commands entered by administrators of the site over several months in 2013. A review of those commands suggest that SEA administrators made frequent use of imo.im, a Web-based instant messaging program.
The history file and other documents also indicate that the SEA administrators routinely blocked specific Internet addresses from being able to load or access all or portions of their site. In addition, it shows that administrators also specifically whitelisted several Internet properties (addresses expressly allowed to access the site); among those were a number of Tor anonymizers, as well as several sites in Jordan, including the Ministry of Higher Education division of Saudi Arabian Cultural Mission in Jordan.
Declining to address the voluminous evidence of a site compromise, the SEA’s account on Twitter dismissed these latest revelations as proof of nothing.
“Publishing fake screenshots and hacking randomly pro-Syria people unfortunately don’t prove anything ”, the group retorted.