ETDA ThaiCERT
Report
Search
Home > List all groups > Syrian Electronic Army (SEA), Deadeye Jackal

Threat Group Cards: A Threat Actor Encyclopedia

Permanent link APT group: Syrian Electronic Army (SEA), Deadeye Jackal

NamesSyrian Electronic Army (self given)
Syria Malware Team (self give)
Deadeye Jackal (CrowdStrike)
ATK 196 (Thales)
TAG-CT2 (?)
CountrySyria Syria
MotivationInformation theft and espionage
First seen2011
Description(Qihoo 360) In April 2011, only days after anti-regime protests escalated in Syria, Syrian Electronic Army (SEA) emerged on Facebook to support the government’s Syrian President Bashar al-Assad. In May 5, 2011 the Syrian Computer Society registered SEA’s website (syrian-es.com). Because Syria's domain registration authority registered the hacker site, some security experts have written that the group was supervised by the Syrian state. SEA claimed on its webpage to be no official entity, but 'a group of enthusiastic Syrian youths who could not stay passive towards the massive distortion of facts about the recent uprising in Syria'. As soon as May 27, 2011 SEA had removed text that denied it was an official entity. On the new page, the description of 'not an official entity' was removed, only says that it was established by a group of young Syrian enthusiasts to combat the use of the Internet, especially people that use of Facebook in Syria to 'spread hatred' and 'destroy peace'.

The Syrian Electronic Army uses spam, website defacement, malware, phishing and denial of service attacks against political opposition groups, Western news agencies, human rights groups and seemingly neutral websites for Syrian conflicts. It also attacked government websites in the Middle East and Europe as well as US defense contractors. The Syrian Electronic Army is the first Arab organization to set up a public Internet army on its national network to openly launch cyber-attacks on its enemies.

Syrian Electronic Army has 2 subgroups:
1. Subgroup: Goldmouse, APT-C-27
2. Subgroup: Pat Bear, APT-C-37
ObservedSectors: Defense, Government, High-Tech, Media, Retail, Telecommunications and dissidents.
Countries: Canada, France, UK, USA and Middle East.
Tools usedAndoServer, SandroRAT, SilverHawk, SLRat, SpyNote RAT.
Operations performedMid 2016In recent years, the group has seemingly kept a low profile, but the SEA hasn't ceased activity: it's altered tactics and is now delivering custom Android malware to opponents of the Assad regime for the purposes of surveillance.
<https://www.zdnet.com/article/these-hackers-are-using-android-surveillance-malware-to-target-opponents-of-the-syrian-government/>
Jan 2018Lookout researchers have uncovered a long-running surveillance campaign tied to Syrian nation-state actors, which recently started using the novel coronavirus as its newest lure to entice its targets to download malware.
<https://blog.lookout.com/nation-state-mobile-malware-targets-syrians-with-covid-19-lures>
Counter operationsMay 2018Two Members of Syrian Electronic Army Indicted for Conspiracy
<https://www.justice.gov/usao-edva/pr/two-members-syrian-electronic-army-indicted-conspiracy>
Information<http://blogs.360.cn/post/SEA_role_influence_cyberattacks.html>
<https://en.wikipedia.org/wiki/Syrian_Electronic_Army>

Last change to this card: 20 April 2020

Download this actor card in PDF or JSON format

Previous: Sweed
Next: Subgroup: Goldmouse, APT-C-27

Thailand Computer Emergency Response Team (ThaiCERT)
Electronic Transactions Development Agency

Follow us on

Facebook Twitter

Report incidents

Telephone +66 (0)2-123-1234
E-mail report@thaicert.or.th
PGP Download PGP key