ResearchTargeted Threats

Behind the Syrian Conflict’s Digital Frontlines

Citizen Lab Research Fellow John Scott-Railton is one of the authors of a report entitled “Behind the Syrian Conflict’s Digital Frontlines,” released today by FireEye, that documents a hacking operation that successfully breached the Syrian opposition. The report describes the diverse malware tools–both widely available and custom malware–used by the threat actors, including the DarkComet RAT, a customized keylogger, Android malware, and tools with different shellcode payloads. The report’s other author, Nart Villeneuve, is a member of the Citizen Lab’s Technical Advisory Board.

In December 2014, John Scott-Railton and Senior Security Researcher Seth Hardy published a report documenting a malware attack against a Syrian citizen media group critical of Islamic State of Iraq and Syria (ISIS), Raqqah is being Slaughtered Silently, which was designed to unmask their location. Scott-Railton and Hardy provided circumstantial links of the attack to the Islamic State in Iraq and Syria.

Excerpt:

“Between at least November 2013 and January 2014, the hackers stole a cache of critical documents and Skype conversations revealing the Syrian opposition’s strategy, tactical battle plans, supply needs, and troves of personal information and chat sessions. This data belonged to the men fighting against Syrian President Bashar al-Assad’s forces, as well as media activists, humanitarian aid workers, and others within the opposition located in Syria, the region and beyond.

“To undertake this operation, the threat group employed a familiar tactic: ensnaring its victims through conversations with seemingly sympathetic and attractive women. A female avatar would strike up a conversation on Skype and share a personal photo with her target. The photo was not only malware-laden but likely tailored to the victim’s device—an Android phone or a computer. Once the target downloaded the malware, the threat group accessed his device, rifled through files and selected and stole data identifying opposition members, their Skype chat logs and contacts, and scores of documents that shed valuable insight into the opposition.”

Read the full report [PDF].

Media Mentions

The New York Times, Security Week, Dark Reading, Forbes.