The FBI has added the Syrian Electronic Army to their Cyber's Most Wanted list, placing Ahmad Umar Agha (Th3Pr0), Firas Dardar (th3shad0w) in the top two slots.
A third person, Peter "Pierre" Romar, was also charged along side the others. The U.S. District Court of the Eastern District of Virginia has issued arrest warrants for all three defendants.
Agha and Dardar were charged with criminal conspiracy relating to: engaging in a hoax regarding a terrorist attack; attempting to cause mutiny of the U.S. armed forces; illicit possession of authentication features; access device fraud; unauthorized access to, and damage of, computers; and unlawful access to stored communications.
Romar faces similar charges.
In a press release, the U.S. Department of Justice summarized the complaint:
"The conspiracy was dedicated to spear-phishing and compromising the computer systems of the U.S. government, as well as international organizations, media organizations and other private-sector entities that the SEA deemed as having been antagonistic toward the Syrian Government. When the conspiracy’s spear-phishing efforts were successful, Agha and Dardar would allegedly use stolen usernames and passwords to deface websites, redirect domains to sites controlled or utilized by the conspiracy, steal email and hijack social media accounts."
Romar acted as a middle-man in some cases, helping extortion victims funnel money to Dardar in order to avoid problems paying a Syrian bank due to regulatory sanctions.
The pro-Assad group has used their attacks against the White House, the Associated Press, CBS News, the Guardian, the New York Times, MelbourneIT, and others to spread propaganda for the Syrian leader and for personal gain.
Their methods are simple, social engineering mostly, but once they have a foothold within an organization – they are capable of wrecking havoc.
Here at Salted Hash, there's a personal tie to the group, because IDG was one of the few reported attacks by the SEA that failed.
In 2014, the SEA attempted to target IDG over a negative opinion piece that was slated to run. We fully documented the attack, and investigated the Phishing attempts to such a degree that we discovered the staging servers and additional victims.
A full account of the SEA's attack against IDG can be viewed here. A few days after that story ran, we published a follow-up once The3Pr0 started to make threats. Since then, no further attacks have been detected.
While adding the most public members of the group to the Most Wanted List is a big step for the FBI, the members of the group remain at-large in Syria. The odds of them being arrested and shipped to the United States for trial are slim at best, and that's unfortunate.