Syrian Electronic Army (SEA) is a pro-Assad, pro-Syrian-government threat actor. The content describes SEA as a well-known actor targeting the Syrian revolution/opposition as well as Western media organizations, NGOs, corporate entities, news sites, and prominent social media accounts. Reported activity includes exploiting security flaws to place pro-Assad messages on websites and social-media feeds, social engineering attacks on prominent accounts, DNS hijacking, website defacement, malware operations against the Syrian opposition, and data breaches. Directly cited operations and behavior in the content include: defacements of U.S. Army websites in 2015; DNS hijacking attacks affecting The New York Times and Twitter; compromise of the Associated Press Twitter account to post a false White House bombing report; targeting of news sites including The Washington Post; and the February 2014 Forbes intrusion, which leaked more than 1 million user accounts and involved fake news stories posted on forbes.com. The content also states SEA continues lower-profile operations that include malware against the Syrian opposition. The content further describes an ecosystem linked to SEA that used trolls, honeypot social-media accounts, and hackers together: trolls to sow doubt, honeypots to build trust, and hackers believed to exploit clicks on dubious links or deliver malware-laced attachments. Arabic-named LNK files disguised as government forms are also noted as a documented TTP used by multiple actors including SEA. Aliases directly provided in the content: Syrian Electronic Army, SEA.
Mallory correlates actor tradecraft and target patterns against your stack, your sector, and your geography. See overlap before they land.
Who, where, and (when attributed) which flag flies behind the operation. Pulled from open-source reporting and Mallory's analyst review.
Sectors the actor has been observed targeting.
Geographies tied to known operations.
7 distinct techniques observed across reporting, grouped by tactic. Hover any cell for the evidence excerpt; click through for MITRE's full description.
10 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Referenced as a historical example of a prior defacement of U.S. Army-related websites.
Mentioned as an example of a known actor that has used Arabic-language lure documents disguised as government forms in targeted campaigns.
Attributed with the 2014 attack on Forbes that leaked over 1 million user accounts and resulted in fake news stories being posted to forbes.com.
Pro-Assad actor historically targeting Syrian opposition (and also Western orgs) with lower-profile malware operations and influence/attack activity.
Match sector + geo + tech-stack targeting against your real footprint.
Every observed MITRE ATT&CK technique, grouped by tactic.
Families this actor is known to deploy, with IOCs and behavior.
CVEs this actor has used in known campaigns.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Domains, IPs, and hashes tied to this actor, refreshed continuously.