2 hackers indicted in scheme targeting reporters, White House and Marine Corps

By RACHEL WEINER | The Washington Post | Published: May 17, 2018

ALEXANDRIA, Va. — Two hackers who prosecutors said promoted the Syrian government by compromising media coverage were indicted Thursday in federal court on 11 counts of wire fraud and aggravated identity theft.

Ahmad Umar Agha, known online as the "The Pro," and Firas Dardar, known as the "The Shadow," are still at large, believed to be in Syria. A co-conspirator, Peter Romar, was extradited from Germany and pleaded guilty in 2016.

All three were charged by criminal complaint two years ago with carrying out online attacks in support of Syrian President Bashar Assad. But the indictment, which comes as the statute of limitations for some of their alleged crimes nears, lays out the case in more detail.

The group was most active from 2011 to 2013. Dardar and Agha used phishing techniques, according to prosecutors, sending targets emails designed to look as if they came from trusted sources, authorities said. A link in the email would lead to a seemingly legitimate site that would capture the target's login credentials for internal websites and social media accounts.

If the trick worked, the two allegedly would then deface those pages with messages in support of the Assad regime, often using juvenile insults and memes.

Employees at The Washington Post, CNN, the Associated Press, National Public Radio, the Onion, Human Rights Watch, NASA, Microsoft and the Executive Office of the President all clicked on links in spearfishing emails.

Once they had gotten access to an email account of one member of the media, the hackers would use it to send phishing emails to other reporters.

The hackers also were able to leverage hacks of third-party web services companies to disrupt access to The Post, the New York Times, Marines.com and The Huffington Post UK. For instance, access to a domain registration website let the hackers redirect traffic intended for the New York Times, Marines.com and the Huffington Post UK, authorities said. And links from a content recommendation service sent readers to Syrian Electronic Army websites rather than Washington Post, CNN and Time articles.

Other victims included the New York Post, Reuters, Time, USA Today and The Daily Dot.

Although the tactics were not very sophisticated, the intrusions caused upheaval at media organizations and confusion among readers. When the pair took over the AP's Twitter account in 2013 and falsely claimed that the president had been injured by a bombing attack at the White House, the stock market briefly nose-dived.

At NASA and the office of the president, the attacks were rebuffed.

Romar admitted to helping pass money on to Agha and Dardar from Germany, where he lived. He was sentenced only to time served awaiting judgment.

from around the web