Security Experts:

Threat Group Targets Strategy, Battle Plans of Syrian Opposition: FireEye

A new report from FireEye details the activities of a threat actor whose mission has been to gather valuable information on individuals and organizations opposing Syrian President Bashar al-Assad.

According to the security firm, the attackers targeted military information, humanitarian activities and financing, media and communications, political information, and the personal details of refugees.

The group has managed to steal 7.7 Gb of files containing data on military operations, the position of troops, military hardware, weapons systems, political strategies and tactics, supply lists and financial records of humanitarian organizations, situational reports from the media, and user account credentials. Researchers have found over 31,000 chat logs, 12,000 contacts, and 240,000 messages on the hackers’ servers.

Most of the data was obtained between May 2013 and December 2013, but some of the stolen Skype chat logs went back to 2012. The newest data discovered by FireEye is from January 2014.

The targets were leaders or armed units, defectors, humanitarians, media activists, and other members of the Syrian opposition. While most of the victims were located in Syria, FireEye determined that some of them were from Turkey, Ukraine, Jordan, Egypt, Spain, Lebanon and the UAE.

The threat group’s arsenal includes the notorious DarkComet remote access tool (RAT), Android malware, and various tools that have been custom built (YABROD and CABLECAR). The DarkComet RAT has been distributed with the aid of a previously unseen multistage dropper (BLACKSTAR).

The attackers haven’t relied on exploits to plant malware on targeted devices. Instead, they mostly leveraged social engineering tricks. One of the most efficient techniques used by the group involves the creation of female avatars.

Fake Skype accounts apparently belonging to sympathetic and attractive women had been used to get in touch with targeted men without raising suspicion. The female avatars had two roles: to send the targets a piece of malware disguised as a personal photo, and to obtain valuable information by chatting with the victim.

The first question asked by the attackers when they connected with a potential victim on Skype was “How are you on Skype? On a computer or on your phone?” By getting an answer to this question, the hackers would know what type of malware to use, FireEye said.

The threat actors also used social media accounts and a fake Syrian opposition website to distribute malware. Because many of the victims shared computers for satellite-based Internet access, it was enough for the attackers to compromise a relatively small number of systems in order to gain access to large quantities of data.

This isn’t the first operation targeting the Syrian opposition. Similar campaigns have been observed by Kaspersky, Citizen Lab, the Electronic Frontier Foundation (EFF), and Trend Micro. However, FireEye has pointed out that the command and control (C&C) infrastructure and many of the tools used by this particular threat group are different. Unlike many other threat actors, they are using C&C servers located outside of Syria.

Researchers haven’t been able to determine who is behind this hacking operation, but they uncovered several links to Lebanon during their investigation. FireEye has pointed out that if the attackers passed on the stolen files to the Syrian government, Assad’s forces could use the military intelligence for a battlefield advantage.

The complete report, “Behind the Syrian Conflict’s Digital Frontlines,” is available for download.

Related: Skype Chats Compromised Syrian Rebels

view counter
Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.