Is Bashar al-Assad’s Army of Hackers Gone for Good?

Is Bashar al-Assad’s Army of Hackers Gone for Good?

Another pro-Assad cyber group may emerge, but it will be unlikely to develop the capabilities and sophistication of the original Syrian Electronic Army.

In April 2013, pro-Assad online activists from Syria hacked into the Twitter account of the Associated Press and tweeted about a fake explosion at the White House that supposedly injured President Barack Obama, leading the U.S. stock market to temporarily dip by $136 billion. This elite hacker unit of Syrian regime loyalists—known as the Syrian Electronic Army (SEA) and possibly funded by Rami Makhlouf, Bashar al-Assad’s billionaire cousin—also targeted Harvard University, the U.S. Marine Corps, Human Rights Watch, and other national news outlets in separate cyberattacks. 

From 2011 to 2014, the SEA carried out an extremely active cyber campaign aimed at disseminating pro-Assad propaganda and defacing websites that were hostile to the Syrian dictatorship. However, after 2014, the SEA became much less active, even going silent on its social media pages. For example, the official SEA Twitter page has not been updated since 2015, while its YouTube page has been dormant for more than eight years. News reports of SEA-claimed hacks have also been few and far between in recent years. The SEA’s rapid downturn in cyber activity is startling, given the fact that the hacker group was once considered one of the more sophisticated international hacker groups and was routinely mentioned in international news headlines. So, what happened to the SEA?

The U.S. government’s success in slowly dismantling the group is one of the main reasons for the SEA’s relative inactivity. In 2014, Peter Romar, a Syrian national and member of the SEA living in Germany, was extradited from Germany to the United States, eventually pleading guilty in 2016 to felony charges of cybercriminal activity. The FBI put two other SEA members, Firas Dardar and Amad Umar Agha, on its most wanted cybercriminals list in 2016. In a 2016 statement about the group, U.S. assistant attorney general for national security John Carlin said, “While some of the activity sought to harm the economic and national security of the United States in the name of Syria, these detailed allegations reveal that the members also used extortion to try to line their own pockets at the expense of law-abiding people all over the world.” Moreover, the U.S. intelligence community has done an outstanding job of actively pursuing the SEA and revealing the seriousness of its cybercriminal activity. A second reason for the SEA’s decline is the simple fact that global geopolitics have changed significantly since 2014, with the Syrian Civil War no longer at the forefront of great power politics.

It has long been suspected that the SEA has links to the Iranian and Russian governments. In 2013, former CIA and NSA chief Gen. Michael Hayden said that the SEA “is an extension of the Iranian state,” adding later that year that the SEA “sounds like an Iranian proxy.” In its early years, the SEA launched amateur cyberattacks on vulnerable, low-security websites. However, after 2012, the SEA’s technical capabilities greatly expanded, and the group started to conduct complex cyberattacks against high-security websites. Western cybersecurity specialists and intelligence experts attribute the SEA’s increased sophistication to Iranian cyber training and guidance. The SEA is just one group in the expansive network of pro-Tehran Islamist hacker groups that Iran has cultivated across the region.

As the SEA is under the cyber guardianship of Iran, Tehran is largely able to dictate the actions of the group. For instance, in October 2015—around the time that the SEA became much less active in cyberspace—Iran entered into multilateral talks with the U.S. government aimed at resolving the Syrian Civil War. Given the SEA’s destabilizing role, Tehran may have sidelined the group in order to establish a permanent seat in the Syrian peace talks alongside representatives of Russia, Saudi Arabia, the United States, and Turkey.

In addition to the significant support the SEA has received from Tehran, the group has also been assisted by Russia, a key ally of the Assad regime. The SEA’s servers are based in Russia, and the Guardian noted in April 2013 that the group may have received “sporadic technical assistance from Russia.” However, Moscow’s recent focus on Ukraine and NATO has pushed Syria to the margins of Russian foreign policy. Considering the massive international pressure Moscow is facing in the wake of its invasion of Ukraine, it is unlikely that Russia’s security services will resume technical assistance for pro-Assad hackers.

Recent events involving Rami Makhlouf, the SEA’s primary financial backer and a cousin of Assad, make it even less likely that the SEA will be resurrected in its original form. According to testimonies from Syrian opposition activists and a former SEA member, Makhlouf largely bankrolled the hacker group out of his company’s headquarters in Dubai, giving members up to $1,000 for each successful cyberattack on Western financial and political institutions. But in the spring of 2020, Makhlouf had a falling out with Assad and began criticizing the regime on social media. While theories about what caused the rift in Syria’s ruling family are still circulating, the split may nevertheless be another reason why the SEA has essentially dissolved.

It is probable that another pro-Assad cyber group will emerge in the near future, but it will be unlikely to develop the capabilities and sophistication of the original SEA. As the geopolitical situation and internal regime dynamics have changed in Syria, the prospects for a Syrian cyber group as powerful as the SEA once was have diminished. However, given the recent tensions between the United States and Iran, Tehran may turn to its Shia cyber proxies to restart cyber operations against American and Israeli targets. While the SEA of the early 2010s may be a thing of the past, it is essential that the United States keeps a close eye on Iranian cyber partnerships in the Middle East and beyond.

Benjamin R. Young is an assistant professor of homeland security and emergency preparedness in the Wilder School of Government and Public Affairs at Virginia Commonwealth University. He is the author of the book Guns, Guerillas, and the Great Leader: North Korea and the Third World, and his writing has appeared in a range of media outlets and peer-reviewed scholarly journals. Follow him on Twitter @DubstepInDPRK.

Image: Reuters.