ResearchTargeted Threats

Quantum of Surveillance Familiar Actors and Possible False Flags in Syrian Malware Campaigns

Download PDF version

High profile hacking by Syrian Electronic Army (SEA) against Western media outlets has put the digital angle of the Syrian Civil War on the map.  Yet, further from the public eye, another campaign has been taking place.  For more than 2 years the Syrian opposition has been targeted with a range of electronic attacks aimed at stealing secrets, and frustrating their objectives.   Many targets are dissidents or fighters,  but others are humanitarians, journalists, and others touched by the conflict.  Unlike the high profile defacements of the SEA, these compromises are rarely publicized by the attackers, although the malware has sometimes attracted considerable attention by security researchers and activists.

The fight in cyberspace often mirrors the geopolitics of Syria’s civil war.  For example, malware attacks appear to have gone quiet in the period when a military intervention seemed imminent, only to pick up when the possibility seemed to fade.  Similarly, just as news from Syria can be murky and distorted with misinformation, false flag malware is showing up online, too.

The latest iterations of these campaigns are tracked in a White Paper released jointly by Citizen Lab, Munk School of Global Affairs, University of Toronto and the Electronic Frontier Foundation (EFF) by Morgan Marquis-Boire (Security Researcher, Citizen Lab), John Scott-Railton (Research Fellow, Citizen Lab), and Eva Galperin (Global Policy Analyst, EFF).   The report builds on extensive previous research and writings by EFF and Citizen Lab to update what we know about malware campaigns targeting the Syrian opposition.

Highlights include:

  • New malware attacks using Skype, Gmail, Dropbox, and Facebook

    • Updates on social engineering practices

  • The use of njRAT attacks in Syria, the first time it has been publicly reported in this conflict

  • A Potential False Flag malware attack with a Mac OS X Trojan (First identified by researchers at Intego)

  • Intriguing clues about the identity and practices of one of the malware creators


The report, published as a collaboration between Citizen Lab and EFF, is available as on EFF’s website.

You can read the Wired article about the paper here.