By Joseph Menn
SAN FRANCISCO (Reuters) - If the United States attacks Syria, it will be the first time it strikes a country that is capable of waging retaliatory cyberspace attacks on American targets.
The risk is heightened by Syria's alliance with Iran, which has built up its cyber capability in the past three years, and already gives the country technical and other support. If Iran stood with Syria in any fray with the United States that would significantly increase the cyber threat, security experts said.
Organized cyber attacks have already been carried out by the Syrian Electronic Army (SEA), a hacking group loyal to the government of President Bashar al-Assad. It has disrupted the websites of U.S. media and Internet companies and is now threatening to step up such hacking if Washington bombs Damascus.
"It's likely that the Syrian Electronic Army does something in response, perhaps with some assistance from Iranian-related groups," said former White House cybersecurity and counter terror advisor Richard Clarke.
Little is known about the hackers behind the Syrian Electronic Army, and there is no evidence that the group is capable of destructive attacks on critical infrastructure.
However, former U.S. National Security Agency director Michael Hayden told Reuters that the SEA "sounds like an Iranian proxy," and it could have much greater ability than it has displayed.
Thus far, the SEA's most disruptive act was in April when it broke into the Twitter account of the Associated Press and sent fictional tweets about explosions at the White House. The false messages sent the stock market into a downward spiral that, for a short time, erased more than $100 billion in value.
In an email to Reuters on Wednesday, the SEA said if the U.S. military moves against Syria "our targets will be different."
"Everything will be possible if the U.S. begins hostile military actions against Syria," the group said in the note.
President Barack Obama vowed on Wednesday that the Syrian government would face "international consequences" for last week's deadly chemical attack in Syria, but he made clear that any military action would be limited.
Asked about the threat of cyber retaliation, U.S. Department of Homeland Security spokesman Peter Boogaard said the government "is closely following the situation and actively collaborates and shares information with public and private sector partners every day."
A U.S. Department of Defense spokesman said he could not discuss specific threats, while another source at the Pentagon said no unusual activity had been detected by late on Wednesday.
IRAN SHARPENS ITS GAME
Cyber experts have said that Iran increased its cyber capabilities after the United States used the Stuxnet virus to attack Tehran's nuclear program.
U.S. intelligence officials have blamed hackers sponsored by Iran for a series of so-called distributed-denial-of-service attacks against many U.S. banking sites. In DDoS attacks, thousands of computers try to contact a target website at the same time, overwhelming it and rendering it inaccessible.
In three waves of attacks since last September, consumers have reported inability to conduct online transactions at more than a dozen banks, including Wells Fargo & Co, Citigroup Inc, JPMorgan Chase & Co and Bank of America Corp. Banks have spent millions of dollars to fend off the hackers and restore service.
Researchers have said that Iran has also infiltrated Western oil companies, and it could try to destroy data, though that would increase the risk of retaliation by the United States.
Things in cyberspace would get more complicated if Russia, an ally of Iran and Syria, were to step in. Former Obama administration officials have said that Russia, which has supplied arms to Syria, has cyber capabilities nearly as powerful as the United States.
Even if the Russian government did not act directly, the country's private hackers rank with those in China in their ability and willingness to conduct "patriotic" attacks. Cyber experts have said that Russian hackers have struck at government and other sites in Estonia and Georgia.
The Syrian Electronic Army's servers are based in Russia, and that alliance could strengthen if matters in Syria became more dramatic, said Paul Ferguson of the Internet security company IID.
"We already have a bad geopolitical situation," Ferguson said. "This could play into the entire narrative I don't want to see happen."
It is unclear how much cyber damage Syria could or would want to inflict, said Dmitri Alperovitch, chief technology officer of security firm CrowdStrike.
"We haven't seen significant intrusion capabilities from them or destructive capabilities," he said.
Earlier this week, as the Obama administration pushed for more support for strikes on Syria, the New York Times, Twitter and the Huffington Post lost control of some of their websites. The SEA claimed responsibility for the attacks.
Security experts said electronic records showed that NYTimes.com, the only site with an hours-long outage, redirected visitors to a server controlled by the Syrian group.
The SEA had planned to post anti-war messages on the Times site but was overwhelmed by the traffic it received and its server crashed, the SEA said by email. Late on Wednesday, some users still could not access NYTimes.com.
The SEA managed to gain control of the New York Times web address by penetrating MelbourneIT, an Australian Internet service provider that sells and manages domain names.
It could have done much worse with such access, experts said, underscoring the vulnerability of major companies that use outside providers.
"Chief information officers need to realize that critical pieces of their online entities are controlled by vendors and that security policies should apply to them as well," said Amichai Shulman, chief technology officer at security firm Imperva.
(Reporting by Joseph Menn; Editing by Tiffany Wu, Toni Reinhold)