The Syrian Electronic Army topped the news cycle again this week, following takedowns of The New York Times, Twitter, and Huffington Post UK. They’re just the most recent efforts in a long string of high-profile hacks, which targeted the likes of the Associated Press, the Onion, and NPR.
The SEA has said it is waging cyberwar to denounce media coverage of the conflict in Syria they see as being overwhelmingly anti-Assad. But who’s actually running the operation? New evidence indicates that a young Syrian named Hatem Deeb plays a leading role.
While the SEA has conducted a handful of interviews with the media, including with our colleagues at VICE, they have done so anonymously. Their identities have remained secret in all media correspondences, veiled behind user names like TheShadow and ThePro. ThePro, or Th3Pr0, has claimed the mantle of lead hacker, and his identity has so far been under wraps.
The tech press is fond of noting that the SEA has used relatively primitive techniques to execute high-profile hacks. Some experienced hackers and security analysts have called their attacks downright amateur, as some of the group’s Twitter takeovers are the result of old phishing attacks. And they’ve also inadvertently left a digital paper trail that may reveal the identities of their highest profile members. ?
Not long after the AP and Onion hacks, I got in touch with a hacker working in Syria. At the time, he said that the SEA were amateurs, mostly young men in their twenties who lacked computer science or security backgrounds. The hacker—who we’ll call X—was able to glean the SEA’s IP in Damascus, and then he, with the help of a number of other hackers, was able to break his way into the SEA server, X says. They snagged a trove of information from the SEA’s servers: around 140 email addresses, largely Hotmail accounts, all belonging to alleged SEA members.
The crown jewel, however, was the evidence that ThePro is Deeb. Deeb, it turns out, had listed his real name on one crucial document: The receipt for the virtual private server (VPS) he’d rented for the SEA. His listed email address was Admin@ThePro.sy, which is also the address associated with ThePro’s blog. The credit card number he’d used was tied to the name Hatem Deeb.
The pilfered documents show that the owner of the VPS was Hatem Deeb and the exact same username logged into the console as the admin.
Hatem Deeb was listed as the admin at http://www.syrian-es.net/, the Syrian Electronic Army’s website, while it was still hosted in Syria. The servers have since been moved to Russia, but before they were moved, the hacker retrieved Deeb’s admin password information. He also flagged the site’s whois credentials.
Finally, Deeb’s name was released by an SEA-related Twitter account, along with a handful of other names:
ames:
In an email, the Syrian Electronic Army denied that the above tweet contained the names of SEA members:
“It’s old account, and that names were tagged in Victor post… not the names of SEA members lol,” they wrote.
We’ve also reached out to both Deeb and ThePro through various emails asking to confirm that they are one and the same, and have not received a response. We will update if and when we hear back.
Hacker X says he has access to 139 other SEA-related email accounts, and believes he’s figured out a few of the group’s other prominent members’ identities. Motherboard has seen the data dump containing the email accounts, passwords, and account info of these purported SEA members and supporters and verified that they’re Syrian email accounts—many of them Hotmail and Yahoo! accounts.X also sent me to a public Facebook page that he believes is the Hatem Deeb in question. The page is littered with pro-Assad images, including his profile picture, which is a portrait of Maher al-Assad, a Syrian general and commander of the Republican Guard.
As of now, we can’t be 100 percent sure that any of these addresses belong to SEA members. The same potentially goes for Deeb. There’s still the possibility that Deeb itself is an alias, but it’d have to be good enough to fool credit card companies and web registration services. So, as the hacker says, we can be pretty sure this is our guy.
ThePro—presumably Deeb—maintains a personal blog. On his about page, he lists his “best achievements.” He also shouts out Vict0r, which is referenced by the SEA account that tweeted Deeb’s name.
In a previous interview with VICE, ThePro explained how the SEA began.
“The SEA started at the beginning of the Syria crisis. Young Syrians came together to defend their country against a bloody propaganda campaign by media organisations such as Al Jazeera, BBC and France24,” he said. “We’re all Syrian youths who each have our specialised computer skills, such as hacking and graphic design. Our mission is to defend our proud and beloved country Syria against a bloody media war that has been waged against her.”
Even though ThePro says he’s proud to be an Assad hacker, the link between the SEA and the Syrian regime remains nebulous. Some speculate that Assad, who has publicly lauded the efforts of the SEA, is actually providing the outfit with funds. Others argue that their amateur tactics demonstrate that they’re probably a loose-knit group of nationalist hackers acting of their own accord.
Regardless of their origins, an organization that was once derided as amateur is now one of the most-discussed hacker groups in the world. And a 19-year-old who lists his hacking achievements on his blog now appears to be one of the driving forces behind it all.
Update: The Pro has contacted me and denied that he is Hatem Deeb. He says that Deeb is his friend. I asked him if he could prove his identity, and explain why Deeb’s name was on the documents. He responded by saying that while Deeb’s name is on the domain registration for the SEA site, Deeb isn’t a member of SEA.
“Do you think that i’m stupid to gave you a verification about my actual identity?” he wrote.
“Anyway Hatem is my friend (Friend of SEA), and he is not SEA member, he had some connection to SCS so his name appear on the domain whois instead of our real names.”
Even if the SEA’s claims are to be believed, it marks the first time that the organization has admitted the identity of someone heavily involved in its operations—they are essentially confirming that Deeb purchased the server for the SEA to use, and that he registered their site. Even if he is not ThePro—though considerable evidence suggests he is—the fact that Hatem Deeb has played a crucial role in the SEA is now all but impossible to deny.
Update #2: Security expert Brian Krebs has published a report that examines the digital origins of SEA, identifies another one of its key architects as Mohammed Osman, and confirms some of the details about Deeb put forward above.
Update #3: We’ve discovered another Facebook profile for a Hatem Deeb, which hosts multiple pro-SEA images and currently “likes” the SEA’s Facebook page. This Deeb also lives in Russia, where the SEA’s servers are currently located. We’ve removed the photo from the first profile, as we’re no longer certain that it is of the Deeb in question. Regardless, the SEA has not refuted the evidence that Deeb paid for the SEA’s servers, nor his connection to ThePro’s now defunct blog. I contacted our source for comment, and he maintains that his evidence is strong enough to show that Deeb is ThePro. He also reiterated that ThePro was the only admin on the server billed to Deeb, which is proof that Deeb has a leadership role in the SEA.
We have changed our headline to reflect the newfound uncertainty of the hacker’s age.
motherboard.vice.com