Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Whitepapers

Threat Group Targets Strategy, Battle Plans of Syrian Opposition: FireEye

A new report from FireEye details the activities of a threat actor whose mission has been to gather valuable information on individuals and organizations opposing Syrian President Bashar al-Assad.

A new report from FireEye details the activities of a threat actor whose mission has been to gather valuable information on individuals and organizations opposing Syrian President Bashar al-Assad.

According to the security firm, the attackers targeted military information, humanitarian activities and financing, media and communications, political information, and the personal details of refugees.

The group has managed to steal 7.7 Gb of files containing data on military operations, the position of troops, military hardware, weapons systems, political strategies and tactics, supply lists and financial records of humanitarian organizations, situational reports from the media, and user account credentials. Researchers have found over 31,000 chat logs, 12,000 contacts, and 240,000 messages on the hackers’ servers.

Most of the data was obtained between May 2013 and December 2013, but some of the stolen Skype chat logs went back to 2012. The newest data discovered by FireEye is from January 2014.

The targets were leaders or armed units, defectors, humanitarians, media activists, and other members of the Syrian opposition. While most of the victims were located in Syria, FireEye determined that some of them were from Turkey, Ukraine, Jordan, Egypt, Spain, Lebanon and the UAE.

The threat group’s arsenal includes the notorious DarkComet remote access tool (RAT), Android malware, and various tools that have been custom built (YABROD and CABLECAR). The DarkComet RAT has been distributed with the aid of a previously unseen multistage dropper (BLACKSTAR).

The attackers haven’t relied on exploits to plant malware on targeted devices. Instead, they mostly leveraged social engineering tricks. One of the most efficient techniques used by the group involves the creation of female avatars.

Fake Skype accounts apparently belonging to sympathetic and attractive women had been used to get in touch with targeted men without raising suspicion. The female avatars had two roles: to send the targets a piece of malware disguised as a personal photo, and to obtain valuable information by chatting with the victim.

Advertisement. Scroll to continue reading.

The first question asked by the attackers when they connected with a potential victim on Skype was “How are you on Skype? On a computer or on your phone?” By getting an answer to this question, the hackers would know what type of malware to use, FireEye said.

The threat actors also used social media accounts and a fake Syrian opposition website to distribute malware. Because many of the victims shared computers for satellite-based Internet access, it was enough for the attackers to compromise a relatively small number of systems in order to gain access to large quantities of data.

This isn’t the first operation targeting the Syrian opposition. Similar campaigns have been observed by Kaspersky, Citizen Lab, the Electronic Frontier Foundation (EFF), and Trend Micro. However, FireEye has pointed out that the command and control (C&C) infrastructure and many of the tools used by this particular threat group are different. Unlike many other threat actors, they are using C&C servers located outside of Syria.

Researchers haven’t been able to determine who is behind this hacking operation, but they uncovered several links to Lebanon during their investigation. FireEye has pointed out that if the attackers passed on the stolen files to the Syrian government, Assad’s forces could use the military intelligence for a battlefield advantage.

The complete report, “Behind the Syrian Conflict’s Digital Frontlines,” is available for download.

Related: Skype Chats Compromised Syrian Rebels

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Discover strategies for vendor selection, integration to minimize redundancies, and maximizing ROI from your cybersecurity investments. Gain actionable insights to ensure your stack is ready for tomorrow’s challenges.

Register

Dive into critical topics such as incident response, threat intelligence, and attack surface management. Learn how to align cyber resilience plans with business objectives to reduce potential impacts and secure your organization in an ever-evolving threat landscape.

Register

People on the Move

Cloud security giant Wiz has named Fazal Merchant as President and Chief Financial Officer.

Cybersecurity and data protection company Acronis has appointed Gerald Beuchelt as CISO.

Adam Zoller has joined CrowdStrike as Chief Information Security Officer.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.