Fraud Management & Cybercrime , Governance & Risk Management , Incident & Breach Response

Syrian Rebels Hacked Via Skype

'Flirtatious Women' Tricked Fighters Into Installing Malware
Syrian Rebels Hacked Via Skype

Memo to warfighters: The attractive "woman" who's flirting with you on Skype may really be an opposition hacker in disguise.

See Also: Revealing the Dark Web: How to Leverage Technologies to Alert and Block Dark Web Access

That's one takeaway from a new report from cybersecurity firm FireEye, which found 7.7 GB of data that appears to have been stolen from forces that oppose President Bashar al-Assad of Syria in the country's ongoing and bloody civil war. The information "shed valuable insight into military operations planned against President Assad's forces," the report says.

The data appears to have been obtained by hackers who posed as women via Skype and Facebook and tricked their targets into running malware that gave the hackers remote access to their Windows and Android devices, allowing them to steal any files they contained.

"This is classic traditional spy 'tradecraft'; the honeytrap has been around a lot longer than the Internet," Europol cybersecurity adviser Alan Woodward, who's a visiting computing professor at the University of Surrey in England, tells Information Security Media Group.

In this newly disclosed case, the hackers appear to have run their honeytrap operations at least between November 2013 and January 2014, and stolen everything from Skype databases and photographs to Excel planning spreadsheets and scans of photocopied battlefield plans for a major operation to seize control of the town of Khirbet Ghazaleh, FireEye says. The Skype databases in some cases contained transcripts of chat conversations that dated back to 2012.

FireEye says in a blog post that it recovered that stolen data from a server "in the course of our ongoing threat research," but emphasizes that it doesn't know the identity or affiliation of the hackers involved. "Our research revealed multiple references to Lebanon both in the course of examining the malware and in the avatar's social media use," it says. "While we do not know who conducted this hacking operation, if this data was acquired by Assad's forces or their allies, it could confer a distinct battlefield advantage."

Inexpensive Espionage

To steal the data, hackers used a straightforward one-two punch: First, they employed the persona - or avatar - of a pretty woman, flirting via Skype or Facebook with their targets, and used social-engineering tactics - trickery - to elicit information, sometimes including their target's name, age and whether they were using a Windows PC or mobile device. Then the hackers sent an "image" of themselves to their target that was, in reality, an executable file designed to infect the target's PC or Android smart phone.

"Once the target downloaded the malware, the threat group accessed his device, rifled through files and selected and stole data identifying opposition members, their Skype chat logs and contacts, and scores of documents that shed valuable insight into the opposition," FireEye says.

Using seduction for espionage purposes is well-suited to people who are in need of affection, or for tricking "alpha" types who don't think they need to play by the rules, according to Paul Cornish, a professor at the Strategy and Security Institute at the U.K.'s University of Exeter. Both of those traits would likely apply to any rebel troops on the frontlines of a civil war.

"It all just goes to show that social engineering comes in all sorts of forms, and it doesn't matter how good-looking the apparent sender," Woodward says. "You should practice your ABCs: Assume nothing, believe no one, check everything. On the Internet a little paranoia goes a long way."

Windows, Android Malware

The attackers used diverse - but inexpensive - malware tools to infect targets' systems, some of which was customized to make it more difficult to detect, FireEye says. The files sent to targets included a multi-stage, self-extracting dropper file stored in the RAR format; Blackstar, which is a custom-built dropper for a well-known remote access Trojan called Dark Comet; the Onesize keylogger; and a malicious, encrypted Python script - named "Facebook-Account.exe" - that runs shell code, giving attackers remote access to a system.

FireEye's report also details one sample it recovered of a downloader called Yabrod, which presents the target with a password-protected PDF that serves as a decoy. Behind the scenes, meanwhile, Yabrod attempts to install and execute a file called Cablecar, which attempts to inject shell code - drawn from the Metasploit open source vulnerability testing framework - into the system, giving attackers remote access. Yabrod connects to a command-and-control server, and can also store files stolen from the machine on a Dropbox account, FireEye says.

Attackers also employed two pieces of Android malware: a "Syria Twitter" application, which debuted on Google Play in August 2013 and was downloaded about 100 times before being removed, and the "Rasoo-dl" Android file, which doesn't appear to have been distributed via Google Play, FireEye says.

Syrian Civil War

Syrian Observatory for Human Rights, a monitoring group, estimates that to date, more than 200,000 people have died as a result of Syria's civil war. But the U.N.'s Office of the High Commissioner for Human Rights in January 2014 stopped updating its death toll from the conflict, saying it was too difficult to get accurate, verifiable reports from inside Syria. Millions of people have also been left homeless by the fighting.

It's not clear whether whoever hacked the Syrian rebels might be aligned with the Syrian Electronic Army, which formed in 2011 after the anti-Assad revolution began. The SEA has seized control of a number of websites and Twitter accounts to protest coverage of Assad that it finds unfavorable. Its targets have included a number of news outlets, ranging from the BBC and National Public Radio to Reuters and mock news site the Onion.

Opposition forces claim that the SEA is being run by Assad's billionaire cousin, Rami Makhlouf, using a Dubai-based team plus assistance from Russian technical experts, the Guardian reports.

'OpSec' Reminder

It's also not clear whether the information that was recovered by FireEye led to any actual operations being undermined. But the battle plans - detailing how 10 armed units comprising 700 to 800 men, per-man ammunition needs, and the deployment of heavier weapons, including several tanks, anti-aircraft guns, recoilless rifles and anti-tank weapons - could have provided pro-Assad forces with a significant tactical advantage on the battlefield.

"It is a good reminder to all that operational security is vital, and that even a small slip here can result in significant leakages," Woodward says.

Indeed, online espionage operations have the potential to give one's opposition extremely valuable information, all for a relatively scant investment. "Many people who are subject to strict operational security often wonder if it is actually worth it: 'It could never happen to me,' or 'Who would bother trying to hack me here?,'" Woodward says "This story is a perfect reminder that hackers - whatever they are after - will seek out - and find - the weakest point."


About the Author

Mathew J. Schwartz

Mathew J. Schwartz

Executive Editor, DataBreachToday & Europe, ISMG

Schwartz is an award-winning journalist with two decades of experience in magazines, newspapers and electronic media. He has covered the information security and privacy sector throughout his career. Before joining Information Security Media Group in 2014, where he now serves as the executive editor, DataBreachToday and for European news coverage, Schwartz was the information security beat reporter for InformationWeek and a frequent contributor to DarkReading, among other publications. He lives in Scotland.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing bankinfosecurity.co.uk, you agree to our use of cookies.