Syrian Electronic Army Phishing in Turkey, Turkish Hackers Retaliate
By Chris on January 20, 2014
The Syrian Electronic Army was busy playing both offense and defense last week. They reportedly gained access to multiple Microsoft assets including social media channels and the Official Microsoft Blog at blogs.technet.com; soon after, their website was hacked by a Turkish group called TurkGuvenligi.
It’s not the first time we’ve seen hacker on hacker campaigns involving the SEA. Their spat with members of Anonymous is well documented, but this defacement, if TurkGuvenligi’s stated cause for their attack is true, is interesting in that it alerts us to ongoing efforts by the SEA to infiltrate Turkish assets.
The SEA carried out attacks on Turkish government assets during June alongside but seemingly not in outright coordination with other hacktivists during the swell of anti-government protests. We don’t observe any anti-government activity by TurkGuvenligi reported in the open source, a point that we’ll further address in this post.
But back to the SEA and it’s efforts against the Turkish government. Months earlier, it was reported that the SEA successfully gained access to high level political discussions between officials in Turkey, Qatar, and Egypt. Al-Akhbar, along with Syrian website Ajel, released the contents of those documents.
With this defacement by TurkGuvenligi, we can surmise the SEA continues to attempt exfiltrating information from Turkish assets as Syria’s neighbor facilitates peace talks with Syrian rebel groups. Was TurkGuvenligi retaliating on behalf of the Turkish government?
What’s the story with TurkGuvenligi?
Using Recorded Future, we plotted out TurkGuvenligi’s activity over several years. The group used a DNS hijacking tactic back in 2010 against security firm Secunia that is remarkably similar to an attack by the SEA against Twitter during fall 2013, the latter of which saw Twitter’s DNS host Melbourne IT compromised.
The group’s targeting is diverse. It hit a variety targets in a similar DNS spoofing attack during September 2011 when TurkGuvenligi successfully compromised NetNames and Ascio, subsidiaries of Group NBT, redirecting traffic to Vodafone, BetFair, the Daily Telegraph, the Register, National Geographic, Acer, and UPS among others. They redirected traffic from exploit database 1337day.com in mid-2013 when the site wouldn’t ban a user allegedly posing as one of TurkGuvenligi’s founding members Agd_Scorp, and just prior to the SEA hack the group defaced popular cryptographic library OpenSSL.
So, what did we learn from this brief assessment? The group pentests and draw attention to vulnerabilities of sites and services they use such as 1337 and OpenSSL. They occasionally appear to hack simply for the lulz as they claimed the NetNames and Ascio attacks were carried out as part of “World Hackers Day” during 2011.
Temporal Clues to TurkGuvenligi Intentions
Defacing the SEA’s website is slightly different from other TurkGuvenligi activity in that it carries a hint of nationalism. Following this strand leads us to the discovery that while hacktivists took up arms with protesters against the Turkish government in early June, TurkGuvenligi was generally quiet. Their claimed activity on Zone-H from May 28, when protests broke out in Gezi Park, to July 9, consisted of just one defacement: an attack on AnonOps.com leaving this somewhat cryptic conspiracy theory message (note: if there are any Turkish readers out there, drop us a note in the comments as we’d appreciate a clean translation).
While it’s too big a step for the researchers on this blog to say members of this group are associated with the Turksih government, anomalies in TurkGuvenligi’s activity and the targets of other hacker groups give us clues as to what drives their work. We’ll continue to observe the interactions between nationalist hackers in Turkey and Syria as the region’s tempestuous geopolitical dynamics evolve.