The American, who identified himself with the pseudonym “Oliver Tucket,” contacted me over the weekend. He shared copies of two Syrian government documents he said he had gleaned from a hacked server. The shy, earnest, clean-cut young professional of about 30 says he doesn't have any specific ties to the Syrian conflict but was upset about the actions of the Syrian government and wanted to embarrass the Assad regime.
Online attacks have become one more front in modern warfare. But the Internet's global reach gives those cyber battles a more freewheeling character than conventional warfare. Smart hackers around the world can insert themselves into volatile situations to embarrass enemies, draw attention to pet causes, or cause mischief.
Tucket says he was surprised at just how weak the Syrian regime's network defenses were. Evidently, as the government has become overwhelmed with the country's raging civil war, network security hasn't been a priority. And with the U.S. government on the brink of launching airstrikes in the country, the security of Syria's IT systems might not be improved any time soon.
A digital protest
The Syrian government has never been great at securing its network. In 2012, Wikileaks released a cache of over 2.4 million e-mails from 680 Syria-related entities or domains including those associated with the ministries of presidential affairs, foreign affairs, finance, information, transport and culture. But the regime does have some hackers in its corner. A group calling itself the Syrian Electronic Army (SEA) has garnered international publicity by targeting news sites (including The Washington Post) and prominent Twitter accounts. On Tuesday, the SEA claimed responsibility for DNS hijacking attacks affecting the New York Times and Twitter Web sites.
Mike Kun, a security engineer with the customer security incident response team at cybersecurity company Akamai, notes the SEA is “pretty successful at what they’re trying to do, which is share their propaganda” using social engineering attacks that target prominent social media accounts. SEA used a compromised Associated Press Twitter handle to tweet false reports of bombings at the White House earlier this year, causing a $136 billion drop in the stock market and a rash of news interest.
Tucket says he's had access to servers associated with the Syrian National Agency for Network Services for more than two months, but the SEA's recent antics drove him to approach The Washington Post. He was irritated by the amount of coverage the SEA received for an attack on The Post Web site, which briefly caused some of the online pages to redirect to a Web site supportive of the Syrian government. Tucket believes the SEA “is obviously an organized group, probably with affiliation to the Syrian government.” But he said he is “not impressed at all” with their hacking ability, which he sees as opportunistic and publicity-seeking.
Tucket also says he was motivated by reports of chemical weapons use and other acts of oppression by the Assad regime and sees his hacking prowess as his “only tool to act against repressive regimes.” Hacktivist group Anonymous claimed similar motivation for their Operation Syria activities in 2011, which took over the Syrian Defense Ministry Web site.
According to Reporters Without Borders Syria’s Internet is subject to aggressive surveillance, and its “ultra-centralized Internet architecture allows the government to cut off the country from the rest of the world.” There have been several instances of Internet blackouts in Syria during the course of the civil war that reports indicate may have been initiated by the regime.
"They have no idea what is going on"
Tucket says he was active in hacker circles about 10 years ago. Then he more or less "went clean" until two or three months ago, when news about the Middle East pushed him back into his old habits. He started poking around to see if he could gain control of the Syrian top level domain, thinking, “I could start my own .sy domain, and give it to the rebels.”
Before long, he says, he was inside some of the internal networks associated with the government-run telecommunications establishment. From that digital perch, he says, it was obvious “they’re not taking [security] seriously” and “have no idea what is going on in their network.” He reports that much of the email traffic flowing around was not encrypted, and he was able to read messages – including one mentioning the administrative password for one server domain associated with the regime, syrgov.sy.
Tucket took administrative control of the syrgov.sy domain over the weekend. The website that once housed a login page for a Syrian government webmail pilot product started alternatively pointing towards The Drudge Report and an Israeli government web portal. The link to Israel is pure trolling—Tucket says he hoped it would be like "a slap in the face" to the Syrian regime. He also changed the mail server associated with the domain to mail.gov.il on Sunday. He later changed it to mail.navy.cn, a mail server of the Chinese navy.
It does not appear that either of these servers were configured to accept email for the domain syrgov.sy, but they may be able to collect IP addresses and the login information from failed attempts to access syrgov.sy mail accounts.
Kun, the Akamai security expert, reviewed technical information provided to the Post by Tucket and says that it’s “likely he has compromised the server itself.” Three other security experts consulted by the Post shared his assessment. That suggests Tucket has access to data on the server, control over the websites hosted on it, and the ability to read the emails from and to the server. Tucket appears to have maintained his power over the server for days, although the Syrian government seems to have regained control as of Wednesday morning.
It remains unclear how important of a site syrgov.sy is, or if mailboxes related to it remained actively in use up until its compromise. But emails using that domain show up multiple times in the Wikileaks Syrian documents. An "Official SEA" twitter account responding to taunts from Tucket about the hack claimed "all Syrian government websites" were emptied of important data (presumably after Wikileaks collected and published so much of it).
Tucket provided the Post with two documents as evidence of the significance of activity on the domain and his access to internal networks. One document is an Arabic language review of vulnerabilities in web sites identified by the Syrian National Agency for Network Services’s Information Security Center in the first half of 2013, the other a map of an internal network for the Syrian telecommunications establishment including passwords. Two independent experts who reviewed the documents for The Post on background say they appear legitimate.
The new battlefield?
Tucket says few people know about his hacking hobby besides his mother and a few close friends, and he is “not worried at all about being traced or tracked” because his “footprint is pretty small.” While his current focus is on Syria, he also says he has successfully dug into a site associated with the Iranian Foreign Ministry within the past few months, as well as domains in China. He says that learning his way around the latter networks is “like learning the Internet all over again.”
He doesn't claim an affiliation with Anonymous or have much to say about Edward Snowden's National Security Agency leaks. But he does see himself as part of a larger movement toward cyber conflict, agreeing that the Internet is the “next battlefield.”
This form of cyber warfare has been drawing concern. Then-U.S. Defense Secretary Leon Panetta warned, perhaps hyperbolically, about the threat of a “cyber Pearl Harbor” last year. And lone wolves like Tucker, hacktivist collectives like SEA and Anonymous, and more organized actors like APT1 (which allegedly has ties to the Chinese government) have all made headlines for major hacking actions in recent months and years.
Kun notes that while Syria is a prime example, across cyberspace “different hackers who have allegiances to different nation states are hacking other ones.”
“Whenever you get people with strong opinions," Kun says, "you get these sort of hacker wars going on where some sides are pushing to do one thing or the other, but they’re all trying to get their message out and get it noticed any way that they can.“
Still, it's important to remember what hackers like Tucket cannot do by Internet. They can't bomb enemy targets, capture and hold territory or repel invading forces.
Tucket himself notes the limitations of his hacking activities in an e-mail. "While this is pale and rather insignificant in comparison to what is happening on the ground in Syria," he writes, "this is my very small contribution to their struggle."