The Syrian Electronic Army (SEA) is a group of threat actors that have been around since 2011. Some of their possible victims are PayPal, eBay, Twitter, media outlets, and some U.S. government websites.

Last year, suspected SEA members were seen sending phishing links disguised as social media URLs to targets. While there is no direct confirmation that the Syrian government supervises the group, researchers found some evidence supporting this claim. Many also believe that other nations may be using the army because of its effectiveness.

To assist law enforcement agencies and the cybersecurity community in tracking down the threat group, WhoisXML API threat researcher Dancho Danchev took a deeper look inside SEA’s digital infrastructure, revealing:

• Dozens of unredacted email addresses
• 230+ domain names belonging to the group
• 440+ responding IP addresses
• 770+ connected domains

Our researchers further dissected these suspicious cyber resources and uncovered more connected domains and IP addresses.

A sample of the additional artifacts obtained from our analysis is available for download from our website.

Digital Properties Connected to the Syrian Electronic Army

Most of the email addresses tied to the threat group were Hotmail and Gmail accounts. Danchev retrieved 34 of them, along with 238 domain names and 444 responding IP addresses.

Most of the email addresses contained random text strings in their usernames, but we also noticed some that contained the strings “syrian” and “whitehouse.” On the other hand, the domain names didn’t have a significant theme. They were primarily generic domains that could be tied to businesses like “airport van rentals,” “gikitchen,” and “theatre confetti.” However, some are potentially cybersquatting domains, such as:

• grenadine-airways[.]com (possibly targeting grenadine-air[.]com)
• slcbackflow[.]com (possibly targeting Slack)
• mittromneysamerica[.]org (possibly targeting U.S. politician Mitt Romney)

The domains were also concentrated in seven TLD spaces—.com, .info, .org, .net, .biz, .gov, and .ca. The chart below shows the distribution of the domains across these TLDs.

The IP addresses were spread across 28 countries, although about 60% are geolocated in the U.S. The top IP geolocations are shown in the chart below.

Expanding and Dissecting the Syrian Electronic Army-Connected Cyber Resources

With the help of the Reverse WHOIS operations, 771 additional domains related to the threat group were found. These domains were registered using the SEA email addresses at some point. Reverse IP lookups for the responding IP addresses also led us to more connected domains.

In total, 1,457 indicators of compromise (IoCs) and artifacts related to SEA were uncovered in this study. We analyzed these using WHOIS and DNS intelligence.

Administering Organizations

Subjecting the IoCs and related properties to a bulk WHOIS lookup determined that most of them (30%) belonged to the American Registry for Internet Numbers (ARIN). GoDaddy was the leading registrar, accounting for 12% of the registrations, followed by Google with 6%. The rest of the top registrars are shown in the graph below.

While the properties resolved to IP addresses assigned to more than 180 Internet service providers (ISPs), Amazon topped the list, accounting for 22% of the IP resolutions. Google and GoDaddy also appeared in the top 10, with shares of 7% and 4%, respectively.

Primary Location of the Syrian Electronic Army’s Arsenal

It was previously mentioned that the responding IP addresses directly connected to the threat group were primarily geolocated in the U.S. This finding is consistent when the artifacts were included in the analysis.

For both WHOIS registration and IP geolocation, the properties were mostly located in the U.S., accounting for 59.9% of the IP resolutions and 62% of the domain registrations.

This location contextualization may help security teams expand their visibility as threat actors may continue to mask their locations.

Malicious Usage Reporting

Out of 1,009 connected domains, only five have been flagged as malicious in our analysis. That leaves the actors with the majority of the domains that they can potentially use in malicious activities.

Law enforcers have been after SEA for some time now and even indicted two members in 2018. The cybersecurity community also wants to crack down on the threat group. Mapping out its digital footprint is a crucial step toward achieving this goal.

If you wish to perform a similar investigation or get access to the full data behind this research, please don’t hesitate to contact us.