3 accused Syrian Electronic Army hackers face U.S. charges
Ahmad Umar Agha, Firas Dardar, and Pierre Romar have not yet been arrested
Three current or former members of the so-called Syrian Electronic Army have been charged with computer hacking-related conspiracies that targeted the U.S. government, media and private-sector companies, the Justice Department announced Wednesday.
The criminal charges against three Syrians were unsealed on Tuesday in U.S. Eastern District Court of Virginia. None are in custody.
Prosecutors allege that Ahmad Umar Agha, 22, and Firas Dardar, 27, tricked email users into revealing their usernames and passwords to compromise domestic and international computer systems from 2011 through 2014. They used a common technique known as spear-phishing, in which they forged convincing-looking emails baiting the recipient to click on an included link and reveal their passwords.
The government said Agha, known online as "Th3 Pr0," and Dardar, known as "The Shadow," are members of the special operations division of the Syrian Electronic Army, a group of hackers responsible for computer intrusions intended to punish perceived detractors of Syrian President Bashar al-Assad and publish pro-Assad propaganda.
A $100,000 reward is being offered for information leading to their arrests and they're believed to be in Syria.
In April 2013, they allegedly sent a tweet from the Associated Press account on Twitter falsely claiming a bomb had exploded at the White House and injured the president. The message caused the stock market to dip significantly before the tweet was quickly determined to be a hoax.
They allegedly altered Harvard University's website home page, substituting an image of Syrian President Bashar al-Assad, with a message saying "Syrian Electronic Army were Here."
They are accused of creating a false online post on the Washington Post; unsuccessfully targeting members of the Executive Office of the President; defacing a blog and Twitter account belonging to Microsoft; sending false news tweets from Reuters' Twitter account and posting a false report on a journalist's blog; and posting messages on Human Rights Watch criticizing its own reports on Syria as "false."
Other media the two allegedly compromised in spear-phishing efforts include National Public Radio, CNN, The Onion, E! Online, the Daily Dot, New York Post, Time magazine and Vice. They also allegedly managed to take down the New York Times website after compromising its technology vendor. Similarly, they managed pop up messages on the CBC News website through technology vendor.
They also allegedly redirected the U.S. Marine Corps recruiting website to an online page controlled by them encouraging marines to "refuse your orders" and inviting them to fight alongside the Syrian Army and attempted to access NASA's network.
Extortion hacking scheme
Pierre Romar, 36, was also charged separately for his role in an extortion hacking scheme from 2013 through 2014. He was believed to be in Germany.
Romar allegedly was inspired by the hacking activities perpetrated by Agha and Dardar and wanted to join the Syrian Electronic Army, reaching out to Agha for help with a cyberattack he was planning against targets in Sauidi Arabia, Turkey and Qatar. According to the complaint, Agha connected him with Dardar on Facebook and the two worked together on an extortion scheme targeting U.S. and international computers and send victims threats to pay up after gaining access to their system through a spear-phishing attack.
Romar's location, in Germany, helped facilitate transferring the money to Syrian Electronic Army members in Syria because of U.S. sanctions.
Dardar allegedly demanded more than a total of $500,000 from 14 victims but ultimately accepted smaller amounts in many circumstances. Victims included an online gaming company, an online entertainment service, a Swiss web hosting provider, a United Kingdom-based web hosting company, a Europe-based web hosting company, a California-based web hosting company. In the last case, the company and some of its clients' Internet traffic was redirected to a site that said they had been hacked, alleged to have downloaded all their data and threatened to sell the databases for $100 to other hackers if it failed to comply.
The California-based company, which was not identified, ultimately paid about $1,500 to "Peter Romar in Germany" through Western Union after their bank denied the transfer to Syria — despite an initial demand of 105,000 euros.