Two hackers who promoted the Syrian government by compromising media coverage were indicted Thursday in Alexandria federal court on 11 counts of wire fraud and aggravated identity theft.
Ahmad Umar Agha, known online as “The Pro,” and Firas Dardar, known as “The Shadow,” are still at large, believed to be in Syria. A co-conspirator, Peter Romar, was extradited from Germany and pleaded guilty in 2016.
All three were charged by criminal complaint two years ago with carrying out online attacks in support of Syrian President Bashar al-Assad. But the indictment, which comes as the statute of limitations for some of their alleged crimes nears, lays out the case in more detail.
The group was most active from 2011 to 2013. Dardar and Agha used phishing techniques, according to prosecutors, sending targets emails designed to look as if they came from trusted sources, authorities said. A link in the email would lead to a seemingly legitimate site that would capture the target’s log-in credentials for internal websites and social media accounts.
If the trick worked, the two allegedly would then deface those pages with messages in support of the Assad regime, often using juvenile insults and memes.
Employees of The Washington Post, CNN, the Associated Press, NPR, the Onion, Human Rights Watch, NASA, Microsoft and the Executive Office of the President all clicked on links in spearfishing emails.
Once they had gotten access to an email account of one member of the media, the hackers would use it to send phishing emails to other reporters.
The hackers were also able to leverage hacks of third-party Web services companies to disrupt access to The Post, the New York Times, Marines.com and HuffPost UK. For instance, access to a domain registration website let the hackers redirect traffic intended for the New York Times, Marines.com and HuffPost UK, authorities said. And links from a content recommendation service sent readers to Syrian Electronic Army websites rather than Washington Post, CNN or Time articles.
Other victims included the New York Post, Reuters, Time, USA Today and the Daily Dot.
Although the tactics were not very sophisticated, the intrusions caused upheaval at media organizations and confusion among readers. When the Syrian pair took over the AP’s Twitter account in 2013 and falsely claimed that President Barack Obama had been injured by a bombing attack at the White House, the stock market briefly nose-dived.
At NASA and the office of the president, the attacks were rebuffed.
Romar admitted to helping pass money on to Agha and Dardar from Germany, where he lived. He was sentenced only to time served awaiting judgment.