Behind the Syrian Conflict’s Digital Frontlines

Cyber espionage is traditionally understood as a method aimed at achieving an information edge or a strategic goal. However, our research on malware activity related to the ongoing conflict in Syria indicates that such operations can provide actionable military intelligence for an immediate battlefield advantage. Today we release a new report “Behind the Syrian Conflict’s Digital Frontlines,” that documents a well-executed hacking operation that successfully breached the Syrian opposition.

Between at least November 2013 and January 2014, the hackers stole a cache of critical documents and Skype conversations revealing the Syrian opposition’s strategy, tactical battle plans, supply needs, and troves of personal information and chat sessions. This data belonged to the men fighting against Syrian President Bashar al-Assad’s forces, as well as media activists, humanitarian aid workers, and others within the opposition located in Syria, the region and beyond.

To undertake this operation, the threat group employed a familiar tactic: ensnaring its victims through conversations with seemingly sympathetic and attractive women. A female avatar would strike up a conversation on Skype and share a personal photo with her target. The photo was not only malware-laden but likely tailored to the victim’s device—an Android phone or a computer. Once the target downloaded the malware, the threat group accessed his device, rifled through files and selected and stole data identifying opposition members, their Skype chat logs and contacts, and scores of documents that shed valuable insight into the opposition.

Types of Stolen Information

Military Information

 

·       Conversations and documents planning military operations

·       Details on military hardware and positions of fighting groups

·       Names of members of fighting groups and their weapons systems

Political Information

·       Political strategy discussions

·       Political tracts, manifestos, and alliances within the opposition

Humanitarian Activities & Financing

·       Humanitarian needs assessments

·       Lists of materials for the construction of major refugee camps

·       Humanitarian financial assistance disbursement records

Refugee Personal Information

·       Applications for assistance by refugees to authorities in Turkey

·       Lists of aid recipients, scans of ID cards

Media and Communications

·       Documents and strategy information pertaining to media releases

·       Situation reports and lists of casualties

·       Information about rights abuses

 

In our report, we describe the diverse malware toolset used by the threat actors. They used both widely available and custom malware to breach their targets, including the DarkComet RAT, a customized keylogger, Android malware and tools with different shellcode payloads.

We have only limited indications about the origins of this threat activity. Our research revealed multiple references to Lebanon both in the course of examining the malware and in the avatar’s social media use. While we do not know who conducted this hacking operation, if this data was acquired by Assad’s forces or their allies it could confer a distinct battlefield advantage.

The complete report can be downloaded here: https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/rpt-behind-the-syria-conflict.pdf

Indicators of Compromise associated with this activity are available at: https://github.com/fireeye/iocs/tree/master/BlogPosts.