Posts Tagged: Syrian Computer Society

Aug 13

Who Built the Syrian Electronic Army?

A hacking group calling itself the Syrian Electronic Army (SEA) has been getting an unusual amount of press lately, most recently after hijacking the Web sites of The New York Times and The Washington Post, among others. But surprisingly little light has been shed on the individuals behind these headline-grabbing attacks. Beginning today, I’ll be taking a closer look at this organization, starting with one of the group’s core architects.

Earlier this year I reported that — in apparent observation of international trade sanctions against Syria — Network Solutions LLC. and its parent firm had seized hundreds of domains belonging to various Syrian entities. Among the domains caught in that action were several sites belonging to the SEA.

At the time, the SEA had a majority of its sites hosted at Internet addresses belonging to the Syrian Computer Society, an organization considered to have been a precursor to the SEA and one that was previously headed by Syrian President Bashar al-Assad. Following the domain seizures, the SEA was forced to find new homes for their domains. Soon enough, the group moved its domains and to a host in Russia (no doubt adding further chill to already frigid US-Russia relations vis-a-vis Syria).

Sometime during that transition period, the SEA’s main Web site got hacked. As in…completely owned. According to one confidential source, the attacker(s) gained access to the virtual servers that hosted the SEA’s site and downloaded the entire user database for and Shockingly (or perhaps less so for many security researchers who’ve dismissed the SEA as mostly a group of tenacious but relatively unskilled hackers), many of the top members re-used the passwords they picked for their accounts at their Hotmail, MSN and Outlook email accounts.

A snippet from the hacked database from

A snippet from the hacked database from In the third column are plain-text passwords.

In nearly any dump of a Web site user database, it’s generally safe to assume that the first few users listed are founders and administrators of the site. In the hacked database, for example, we can see that the first two usernames in the table are “admin” and “admin2.” Admin2’s email address is listed as The last entry in the database is April 19, 2013, just a few days after began seizing domain names in its stable with the “.sy” designation.

A Google search on that email address reveals its ties to the SEA, and shows that the account was in 2010 tied to a now-abandoned user named “SyRiAn_34G13” (leet-speak for “Syrian Eagle”). A reverse WHOIS search at on the address shows that it was used in Feb. 2011 to register a site called is no longer active (perhaps because it was hacked and defaced in May 2012 by other script kiddies), but thanks to the Wayback Machine at the indispensable Internet Archive, we can see the site lists as its creator a 23-year-old “virtuoso web designer” named Mohammed from Damascus, Syria. Mohammed says he is a senior front end developer at a firm in Damascus called Flex Solutions. Mohammed reveals that his last name is “Osman” when he links to his Facebook and DeviantART accounts, as well as his Gmail address ( That same Gmail account is also used for another account in the database: يوزر – which Google translates to “Yoezer”  “User” and used the password “963100”.

Continue reading →

May 13

Trade Sanctions Cited in Hundreds of Syrian Domain Seizures

In apparent observation of international trade sanctions against Syria, a U.S. firm that ranks as the world’s fourth-largest domain name registrar has seized hundreds of domains belonging to various Syrian entities, including a prominent Syrian hacker group and sites associated with the regime of Syrian President Bashar al-Assad.

The Syrian Electron Army complains about its domain seizures. Source: HP

The Syrian Electron Army complains about its domain seizures, saying Network Solutions cited trade sanctions against Syria. Source: HP

Network Solutions LLC. and its parent firm — Jacksonville, Fla. based — have assumed control over more than 700 domains that were being used mostly for sites hosted in Damascus. The seizures all occurred within a three- to four-day period in mid-April.

The apparently coordinated action ended with each of the site’s registration records being changed to include’s Florida address, as well as the notation “OFAC Holding.”

OFAC is short for the Office of Foreign Assets Control, an office of the U.S. Treasury Department‘s  Under Secretary of the Treasury for Terrorism and Financial Intelligence. OFAC administers and enforces U.S. economic trade sanctions against targeted foreign countries, including Syria. declined to say whether it had coordinated the seizures or why it may have done so. “We do not comment publicly about specific accounts so we cannot provide details about the websites or domains mentioned in your inquiry,” the company said in an emailed statement.  “However, you should know that we cooperate with law enforcement and regulators in order to prevent illegal activity online and take the necessary steps to be in compliance with applicable laws and regulations.”

Under a series of executive orders, U.S. businesses are prohibited from selling goods and services into Syria. While there are a number of exceptions — referred to as “general licenses” in OFAC-speak — domain hosting and registration services are not among them. Although the general licenses permit services that are designed for personal communications, the provision of Web hosting and domain name registration is specifically called out in Treasury regulations (PDF) as not authorized under general licenses.

A spokesman for the Treasury Department said OFAC had not contacted either or Network Solutions regarding these Web sites.

“OFAC has offered a general license authorizing the  export of certain services for the exchange of personal communications over the Internet, such as instant messaging, chat and email, so that these sanctions don’t have the inadvertent effect of cutting the Syrian people off from the rest of the world,” said John Sullivan, spokesman for the Treasury Department’s Terrorism and Financial Intelligence division. “But the [general license] that allows for that does not authorize the exportation of Web hosting or registration services, so those could be subject to enforcement actions under our Syrian sanctions program.”

The domain seizures came to my attention after reading a report produced last month by HP‘s security and research team, which noted that individuals associated with a pro-Assad hacker group known as Syrian Electronic Army were complaining that NetworkSolutions had seized their domains, including and

A reverse WHOIS report ordered from produced this list (PDF) of some 708 Syrian domains recently shuttered and assigned an “OFAC” designation by According to historic Web hosting records also maintained by, the vast majority of the 700+ domains were hosted at Internet addresses assigned to the Syrian Computer Society (SCS). Interestingly, prior to assuming the presidency, Syria’s Assad was president of the SCS, a group now widely believed to have been a precursor to the Syrian Electronic Army.

Continue reading →