Under the SEA - A Look at the Syrian Electronic Army's Mobile Tooling

Presented at Black Hat Europe 2018, Dec. 5, 2018, 2 p.m. (25 minutes)

This briefing will highlight the most recent expansion of the tools of the Syrian Electronic Army (SEA), which are now known to include an entire mobile surveillanceware family (SilverHawk). This is the first time a family of mobile surveillanceware has been directly attributed to the SEA with high certainty, highlighting a new stage in the group's technical evolution. To date, SilverHawk has been identified in over 30 trojanized versions of many well known apps, including Telegram, WhatsApp, Microsoft Word, YouTube, and the Guardian Project's Chat Secure app.

We'll take a look at the SEA's past notable activities, but primarily dive into SilverHawk's capabilities, as well as the significance of the group's ability to develop this toolset. Additionally, we'll explain how we attributed and tied infrastructure to one of the SEA's most high profile hackers, known as th3pro, who is currently on the FBI Cyber's Most Wanted list.


  • Michael Flossman - Head of Threat Intelligence, Lookout
    Michael Flossman is the Head of Lookout's Threat Intelligence services where he is responsible for discovering and analyzing sophisticated mobile threats being deployed in targeted attacks. He has recently worked on multiple high profile investigations that have involved tracking and writing about the evolution and deployment of surveillanceware tools like Pegasus, ViperRAT, FrozenCell, Dark Caracal, StealthMango, JadeRAT, and Tangelo to name but a few. His background is in security assessments, pen-testing, reverse engineering, prototyping, incident response, and vulnerability research.
  • Kristin Del Rosso - Security Intelligence Engineer, Lookout
    Kristin Del Rosso is a member of Lookout's Threat Intelligence Team in San Francisco, where she hunts for nationstate malware and targeted surveillanceware. She works with her team to map out attacker infrastructure and better understand the actors and motives behind these mobile threats.


Similar Presentations: