Under the SEA - A Look at the Syrian Electronic Army's Mobile Tooling

The presentation discusses the SilverHawk mobile surveillance capability and its use by the Syrian Electronic Army to compromise administrator accounts and target a wider audience.

• SilverHawk is a custom surveillance tool used by the Syrian Electronic Army to Trojanize secure messaging applications and system package updates
• The tool allows for remote recording of audio and other generic surveillance capabilities
• The Syrian Electronic Army has used phishing to compromise administrator accounts and post malicious content to reach a wider audience
• Debugging symbols, metadata, and open directories were used to attribute the attacks to the Syrian Electronic Army

The Syrian Electronic Army successfully compromised the admin account for the Facebook group Syrian National Democratic Alliance and posted malicious binaries that were hosted on mediafire. They also engaged in a hoax regarding a terrorist attack by hacking The Associated Press's Twitter account and causing the Dow Jones to drop 145 points in two minutes.

This briefing will highlight the most recent expansion of the tools of the Syrian Electronic Army (SEA), which are now known to include an entire mobile surveillanceware family (SilverHawk). This is the first time a family of mobile surveillanceware has been directly attributed to the SEA with high certainty, highlighting a new stage in the group's technical evolution. To date, SilverHawk has been identified in over 30 trojanized versions of many well known apps, including Telegram, WhatsApp, Microsoft Word, YouTube, and the Guardian Project's Chat Secure app. We'll take a look at the SEA's past notable activities, but primarily dive into SilverHawk's capabilities, as well as the significance of the group's ability to develop this toolset. Additionally, we'll explain how we attributed and tied infrastructure to one of the SEA's most high profile hackers, known as th3pro, who is currently on the FBI Cyber's Most Wanted list.