Security Experts:

Connect with us

Hi, what are you looking for?



Threat Group Targets Strategy, Battle Plans of Syrian Opposition: FireEye

A new report from FireEye details the activities of a threat actor whose mission has been to gather valuable information on individuals and organizations opposing Syrian President Bashar al-Assad.

A new report from FireEye details the activities of a threat actor whose mission has been to gather valuable information on individuals and organizations opposing Syrian President Bashar al-Assad.

According to the security firm, the attackers targeted military information, humanitarian activities and financing, media and communications, political information, and the personal details of refugees.

The group has managed to steal 7.7 Gb of files containing data on military operations, the position of troops, military hardware, weapons systems, political strategies and tactics, supply lists and financial records of humanitarian organizations, situational reports from the media, and user account credentials. Researchers have found over 31,000 chat logs, 12,000 contacts, and 240,000 messages on the hackers’ servers.

Most of the data was obtained between May 2013 and December 2013, but some of the stolen Skype chat logs went back to 2012. The newest data discovered by FireEye is from January 2014.

The targets were leaders or armed units, defectors, humanitarians, media activists, and other members of the Syrian opposition. While most of the victims were located in Syria, FireEye determined that some of them were from Turkey, Ukraine, Jordan, Egypt, Spain, Lebanon and the UAE.

The threat group’s arsenal includes the notorious DarkComet remote access tool (RAT), Android malware, and various tools that have been custom built (YABROD and CABLECAR). The DarkComet RAT has been distributed with the aid of a previously unseen multistage dropper (BLACKSTAR).

The attackers haven’t relied on exploits to plant malware on targeted devices. Instead, they mostly leveraged social engineering tricks. One of the most efficient techniques used by the group involves the creation of female avatars.

Fake Skype accounts apparently belonging to sympathetic and attractive women had been used to get in touch with targeted men without raising suspicion. The female avatars had two roles: to send the targets a piece of malware disguised as a personal photo, and to obtain valuable information by chatting with the victim.

The first question asked by the attackers when they connected with a potential victim on Skype was “How are you on Skype? On a computer or on your phone?” By getting an answer to this question, the hackers would know what type of malware to use, FireEye said.

The threat actors also used social media accounts and a fake Syrian opposition website to distribute malware. Because many of the victims shared computers for satellite-based Internet access, it was enough for the attackers to compromise a relatively small number of systems in order to gain access to large quantities of data.

This isn’t the first operation targeting the Syrian opposition. Similar campaigns have been observed by Kaspersky, Citizen Lab, the Electronic Frontier Foundation (EFF), and Trend Micro. However, FireEye has pointed out that the command and control (C&C) infrastructure and many of the tools used by this particular threat group are different. Unlike many other threat actors, they are using C&C servers located outside of Syria.

Researchers haven’t been able to determine who is behind this hacking operation, but they uncovered several links to Lebanon during their investigation. FireEye has pointed out that if the attackers passed on the stolen files to the Syrian government, Assad’s forces could use the military intelligence for a battlefield advantage.

The complete report, “Behind the Syrian Conflict’s Digital Frontlines,” is available for download.

Related: Skype Chats Compromised Syrian Rebels

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Expert Insights

Related Content

Application Security

As the year comes to a close, we thought it would be appropriate to highlight some of the best stories and columns for 2010....

Application Security

If Patch Tuesday is a party, this would be the IT security version of pre-gaming.On Aug. 9, Microsoft accidentally released information on the five...


Symantec has published a new whitepaper detailing the activities of a threat group dubbed by the security firm “Waterbug.”

Application Security

Hackers breached the systems of anti-adblocking solutions provider PageFair and used the access to deliver malware via the publishers that rely on the company’s...


IBM today released research and intelligence reports on data breaches in the retail sector and trends for the Black Friday/Cyber Monday period.According to the...

Application Security

Protests against Apple and Foxconn due to furor over reports about working conditions have gone digital.


A report published on Tuesday by Trend Micro provides a detailed view of Japan’s cybercriminal underground which, despite being in its infancy, has all...