Naked Security Naked Security

FBI adds two Syrian Electronic Army hackers to Cyber Most Wanted list

"The Pro" and "The Shadow" may have been stealthy spearphishers, but they left a clear digital trail on Facebook and Gmail.

The Syrian Electronic Army (SEA) is famous for spearphishing well-known brands and news outlets.

Over the past 5 years, the group has launched attacks against targets including the White House, Harvard University, Reuters, the Associated Press, NASA, CNN, Time, the Washington Post, The Onion and Microsoft, among others.

The SEA’s attacks have included compromising the Twitter account of the Associated Press in April 2013, to post a bogus tweet that the White House had been bombed and that President Barack Obama had been injured.

That hack resulted in a short-lived but perilous dip in the stock market, to the tune of $136 billion.

Experts at spearphishing they may be, but they weren’t particularly good at covering their tracks on Facebook or Google, it turns out.

That’s how investigators know the names of the three men they filed charges against on Tuesday.

They are Ahmad Umar Agha, 22, of Damascus, Syria; Firas Dardar, 27, of Homs, Syria, and Peter Romar, 36, of Walterhausen, Germany.

The FBI on Tuesday added two of them – Agha and Dardar, both believed to be in Syria – to its “Cyber Most Wanted” list and put a price tag of $100,000 on each of their heads, payable to whoever can provide information that leads to their arrest.

As IntelCrawler detailed in a report on the SEA, Agha – who has allegedly used the aliases The Pro and Th3Pr0 – is “one of the most aggressive and experienced members in SEA,” responsible for the majority of past hacks, and is “one of the more stealth members.”

He’s allegedly behind the first ever SEA attack: the defacement of the University of California’s website in July 2011.

Stealth he may be, but according to IntelCrawler, “The Pro” “unknowingly and carelessly” let slip on his Google Plus page that he worked at the SEA.

The report details a long digital trail left by the alleged hackers as they communicated via Google, Facebook, LinkedIn and other online services.

Because of that digital trail, investigators also traced Dardar, who was allegedly known online as “The Shadow.” The Feds claim that starting in 2013, Dardar worked with Peter “Pierre” Romar on an extortion scheme targeting US businesses.

According to the complaint, the pair would hack into the victims’ computers and then threaten to damage computers, and delete or sell the data unless they were paid a ransom.

The Washington Post on Tuesday cited US officials who said that Romar was arrested in Germany. The Department of Justice is seeking to extradite him.

The US has issued arrest warrants for the two men it’s placed on its Cyber Most Wanted list: “The Pro” and “The Shadow.”

Assistant Attorney General for National Security John Carlin said in a statement that the conspirators’ extortion schemes undermine their own claims of working for a noble cause – to support the embattled regime of their president.

While some of the activity sought to harm the economic and national security of the United States in the name of Syria, these detailed allegations reveal that the members also used extortion to try to line their own pockets at the expense of law-abiding people all over the world.

Image of Agha and Dardar courtesy of FBI Most Wanted