Hunting for Syrian Hackers' Chain of Command

It's the question of the moment inside the murky realm of cybersecurity: Just who - or what - is the Syrian Electronic Army?

The Syrian Electronic Army claimed responsibility for hacking The Financial Times on Friday.

The hacking group that calls itself the S.E.A. struck again on Friday, this time breaking into the Twitter accounts and blog headlines of The Financial Times. The attack was part of a crusade that has targeted dozens of media outlets as varied as The Associated Press and The Onion, the parody news site.

But just who is behind the S.E.A.'s cybervandalism remains a mystery. Paralleling the group's boisterous, pro-Syrian government activity has been a much quieter Internet surveillance campaign aimed at revealing the identities, activities and whereabouts of the Syrian rebels fighting the government of President Bashar al-Assad.

Now sleuths are trying to figure out how much overlap there is between the rowdy pranks playing out on Twitter and the silent spying that also increasingly includes the monitoring of foreign aid workers. It's a high-stakes search. If researchers prove the Assad regime is closely tied to the group, foreign governments may choose to respond because the attacks have real-world consequences. The S.E.A. nearly crashed the stock market, for example, by planting false tales of White House explosions in a recent hijacking of The A.P.'s Twitter feed.

The mystery is made more curious by the belief among researchers that the hackers currently parading as the S.E.A. are not the same people who started the pro-Assad campaign two years ago.

Experts say the Assad regime benefits from the ambiguity. “They have created extra space between themselves and international law and international opinion,” said James A. Lewis, a security expert with the Center for Strategic and International Studies.

The S.E.A. emerged during the Syrian uprisings in May 2011, they said, to offer a pro-Assad counternarrative to news coming out of Syria. In speeches, Mr. Assad likened the S.E.A. to the government's own online security corps, referring to the group as “a real army in a virtual reality.”

In its early incarnation, researchers said, the S.E.A. had a clearly defined hierarchy, with leaders, technical experts, a media arm and hundreds of volunteers. Several early members belonged to the Syrian Computer Society, a technical organization run by Mr. Assad before he became president. Until last month, digital records suggest, the Syrian Computer Society still ran much of the S.E.A.'s infrastructure. In April, a raid of S.E.A. Web domains revealed that the majority were still registered to the society.

S.E.A. members initially created pro-Assad Facebook pages and spammed popular pages like President Obama's and Oprah Winfrey's with pro-Syrian comments. But by the fall of 2011, S.E.A. activities had become more premeditated. They defaced prominent Web sites like Harvard University's with pro-Assad messages, in an attack a spokesman characterized as sophisticated.

At some point, the S.E.A.'s crucial players disappeared and a second crop of hackers took over. The current group consists of roughly a dozen new actors led by hackers who call themselves “Th3 Pr0” and “The Shadow” and function more like Anonymous, the loose hacking collective, than a state-sponsored brigade. In interviews, people who now identify as the S.E.A. insist they operate independently from the Assad regime. But researchers who have been following the group's digital trail aren't convinced.

“The opportunity for collaboration between the S.E.A. and regime is clear, but what is missing is proof,” said Jacob West, a chief technology officer at Hewlett-Packard. As governments consider stronger responses to malicious cyberactivity, Mr. West said, “the motivation for Syria to maintain plausible deniability is very, very real.”

Long before the S.E.A's apparent changing of the guard, security researchers unearthed a stealthier surveillance campaign targeting Syrian dissidents that has since grown to include foreign aid workers. Morgan Marquis-Boire, a researcher at the Citizen Lab at the University of Toronto, uncovered spyware with names like “Dark Comet” and “BlackShades” sending information back to a Syrian state-owned telecommunications company. The software - which tracked a target's location, read e-mails and logged keystrokes - disguised itself as an encryption service for Skype, a program used by many Syrian activists.

Mr. Marquis-Boire has uncovered more than 200 Internet Protocol addresses running the spyware. Some were among the few kept online last week during an Internet disruption in Syria that the government blamed on a “technical malfunction,” but experts described as a systematic government shutdown.

This article has been revised to reflect the following correction:

Correction: May 17, 2013

An earlier version of this article based on previous reporting referred incorrectly to a representative of The Financial Times, Ryann Gastwirth. She is a spokeswoman, not a spokesman.

A version of this article appeared in print on May 18, 2013, on page B1 of the New York edition with the headline: Hunting for Syrian Hackers' Chain of Command.