ATK132

ATK132 (aka: Syrian Electronic Army) is a hacking group active since the beginning of the Syrian Civil War in 2011. The group supports the current regime of Bashar Al-Assad, and according to several reports, it is actually part of it. In the hight of the civil war, the group launched many cyber-attacks, usually against online platforms of media outlets, in order to deface them and spread their pro-Syrian regime agenda. The attacks and defacements were not just against the official websites of the media outlets, but also against their social media accounts and even their registrar. In addition, the group is known to use different types of malware, usually against groups and individuals that oppose Al-Assad’s regime. These malware are of various types and usually have advanced capabilities. In addtion, they usually used spear-phishing as their attack vector, but also other techniques such as watering holes. All of this indicates on the high professional level of its members and their capabilities. Their attacks were occasionally launched by affiliated groups and hackers of the SEA, such as Syrian Malware team, who share infrastructure and personnel with the SEA. Of note, in recent years, cyber-attacks affiliated with the group have become more and more rare.

In October 2021, Facebook's threat disruption team took action against hackers in Pakistan and Syria. They specifically removed 3 Syrian hackers networks from the platform, namely the SEA (APT-C-27, aka. ATK132), APT-C-37 (aka. ATK85) and a government-backed group that targeted minority groups, activists, opposition, Kurdish journalists, activists, members of the People’s Protection Units (YPG), Syria Civil Defense and the White Helmets. Note: SEA's activity was linked by Facebook to Syria’s Air Force Intelligence in their latest campaign.

According to 360 Core Security, the group features two distinct branches, tracked as Golden Rat (ATK80) and  Pat Bear (ATK85).