The Washington PostDemocracy Dies in Darkness

U.S. charges three suspected Syrian Electronic Army hackers

(Photo illustration by Kacper Pempel/Reuters)

The U.S. government has brought criminal charges against three alleged members of the Syrian Electronic Army — a hacking group that supports embattled Syrian President Bashar al-Assad — for a years-long campaign of digital attacks. One of them is now in German custody.

The charges against 22-year-old Ahmad Umar Agha, also known as “The Pro” online; 27-year-old Firas Dardar, whose online name is “The Shadow”; and 36-year-old Peter Romar, known by the alias Pierre Romar, were unsealed Tuesday.

Agha and Dardar were charged with a criminal conspiracy in relation to a string of attacks targeting media companies, as well as various government agencies.

The pair allegedly deployed phishing techniques to trick people into handing over log-in information to their email or other official accounts, according to the complaint. Typically, the hackers would send an email to a target that was designed to look as if it came from a trusted source. When a victim clicked through a link in the email, they would be directed to a site requesting their credentials that appeared legitimate, but was in fact controlled by the Syrian Electronic Army.

If a target fell for the fake login page, the group would use the stolen credentials to help gain access to websites and social media accounts they would then deface with messages in support of the Assad regime.

Although the techniques were not highly sophisticated, they caused disruptions for some media organizations and showed how even moderately skilled hackers can take advantage of victims.

“This is yet another law enforcement win that [shows] no one is above the law, but these are not major criminals that were posing a threat to the United States,” said Dmitri Alperovitch, cofounder of CrowdStrike, a cybersecurity firm.

Starting in 2011, the conspiracy allegedly attempted to use those tactics to break into accounts and systems related to the executive office of the president but it was unsuccessful. And later attacks targeting NASA employees were stymied by the agency’s security systems, according to the complaint.

But the Syrian Electronic Army had more luck with news outlets. In one memorable 2013 hack, the Syrian Electronic Army took over the Associated Press’s Twitter account, sending out a message that falsely claimed that there was an explosion at the White House and that President Obama was injured. The hoax briefly caused a $136 billion dip in the stock market.

Later that year, the group also compromised Outbrain, a content recommendation service then used by outlets including The Washington Post, CNN and Time — causing some pages to redirect to sites promoting the Syrian Electronic Army.

Agha and Dardar, both of whom are thought to be in Syria, have been placed on the FBI's “Cyber Most Wanted” list. The agency is offering $100,000 rewards for information leading to their arrests, according to a Justice Department press release.

Romar and Dardar were separately charged with conspiracies connected to a hacking-related extortion scheme: They would infiltrate victims’ computers and networks and then effectively ransom them — at times, invoking their connection to the Syrian Electronic Army to intimidate victims, according to the government’s complaint. If sanctions or other international agreements blocked a victim from sending money to Dardar in Syria, Romar — who resided in Germany — would help funnel the funds to him, according to the complaint.

Romar was arrested in Germany and the Justice Department is seeking his extradition, said U.S. officials, who spoke on the condition of anonymity to discuss a pending investigation.

“The Justice Department will seek to bring Romar to justice here in the United States,” said a department spokesman.

The government says the alleged extortion plot shows the often blurry line between politically motivated hacks and more traditional cybercrime.

"The Syrian Electronic Army publicly claims that its hacking activities are conducted in support of the embattled regime of Syrian President Bashar al-Assad,” said John Carlin, U.S. Assistant Attorney General for national security.

"While some of the activity sought to harm the economic and national security of the United States in the name of Syria, these detailed allegations reveal that the members also used extortion to try to line their own pockets at the expense of law-abiding people all over the world," he said.