A Syrian national affiliated with the notorious Syrian Electronic Army hacking group has pleaded guilty in a US court to charges of conspiring to hack into computers and extort money.
37-year-old Peter Romar, who was extradited to the United States from his home in Waltershausen, Germany, appears to have played an important role in the operations of the pro-Assad hacking group.
Between July 2013 and December 2014, the Syrian Electronic Army engaged in a criminal scheme where it hacked into the computer systems of US and international companies, stole information, and then attempted to extort large sums of money.
Typically, the attacks would begin with a carefully-crafted phishing email
designed to steal the login credentials of an employee at the targeted organisation.
If the theft of a user's password was successful, the attackers would then use those credentials to access the business's computer systems, sometimes compromising its social media accounts, defacing websites, meddling with DNS records, or launching further phishing attacks.
Victims included the International Business Times
, The Guardian
, The Telegraph
, and the Washington Post
, amongst many others.
According to documents filed in a US court
, alleged Syrian Electronic Army member Firas Dardar, known online as "The Shadow", is said to have demanded more than $500,000 from up to 14 victims.
However, The Shadow had a problem. He was based in Syria, which meant that sanctions in place by the United States and other countries presented difficulties in transferring funds to his bank account.
Romar, who was based outside of Syria and had reached out to the Syrian Electronic Army via Facebook, had no such difficulties - and offered his services.
Communicating with victim corporations from his Gmail address ([email protected]
), Romar even responded to some corporate victims' requests for a signed contract to process the payment by sending them his signature, address and - yes - a scanned image of his German passport.
During a subsequent investigation, a court-authorised search warrant of Romar's Gmail address quickly uncovered multiple emails containing scans of his German passport, photograph, job applications, and outgoing correspondence signed under his own name.
In addition, conversations were found between Romar and The Shadow, both on Gmail and when Romar's Facebook account was legally searched.
For a group that liked to boast about its hacking prowess, the members of the Syrian Electronic Army appeared to be making little effort to cover their tracks and true identities.
Assistant Attorney General for National Security John P. Carlin had this to say after Romar's court appearance:
"Today’s guilty plea is by the latest international offender who believed that he could operate from abroad, behind the perceived veil of anonymity offered by the Internet, and use computers to threaten the security of our citizens and their property. It shows that the Department of Justice and the FBI stand behind their pledge to hold accountable foreign actors who assist in the hacking of U.S. victims."
According to Carlin, the Syrian Electronic Army may have presented itself as hacking in support of the President Assad's Syrian regime, but the reality was that on occasion it was extorting money for itself:
"While some of the activity sought to harm the economic and national security of the United States in the name of Syria, these detailed allegations reveal that the members also used extortion to try to line their own pockets at the expense of law-abiding people all over the world. The allegations in the complaint demonstrate that the line between ordinary criminal hackers and potential national security threats is increasingly blurry."
Co-defendant Firas Dardar remains at large despite being put on the FBI Cyber's Most Wanted List earlier this year.
Romar is scheduled to be sentenced on October 21 and could face up to five years imprisonment.
How should companies better protect themselves?
It's clear that the fundamental reason that the Syrian Electronic Army was able to gain unauthorised computer systems was because of a failure in authentication. In a nutshell, the computer systems did not check that the users logging in were really who they claimed to be.
For that reason, life would have been much harder for the hackers (and they may have moved on to find softer targets) if two-factor authentication (2FA) had been in place.
If you are a company that allows staff to remotely access systems such as email or a web content management system, you should be seriously considering implementing 2FA to reduce the chances of you being the next organisation to be hacked.
2FA can't stop your users from being phished, or passwords being stolen, or even your staff unwisely using the same passwords in multiple places. But it can make a difference - because if you have 2FA in place, the password alone won't be enough for the attackers to gain access to your systems.
Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.