Syrian dissidents targeted by hackers: U of T's Citizen Lab

“The operation has many features indicating that the operators may be Iranian,” John Scott-Railton says
photo of Noura Al-Ameer
Syrian opposition politician Noura Al-Ameer received emails from a fictitious group that included malicious PowerPoint documents containing malware; in a curious twist, her own identity was falsely used to register the assadcrimes website

The Citizen Lab at the Munk School of Global Affairs at the University of Toronto has revealed a new cyber-espionage operation targeting the Syrian opposition.  

Its report, which details how targets were tricked into opening malicious files and links containing malware capable of monitoring computers and Android phones, is making headlines around the world.

Read the Associated Press story

Read the CBC story

The operation, which the researchers name Group5, was first uncovered when Syrian opposition politician Noura Al-Ameer received e-mails from “Assad Crimes,” a fictitious group. 

In an Op Ed in The Washington Post, Professor Ron Deibert, director of the Citizen Lab, described what happened next.

“Al-Ameer is a net savvy activist, and so when she received a legitimate looking email containing a PowerPoint attachment addressed to her and purporting to detail “Assad Crimes,” she could easily have opened it. Instead, she shared it with us at the Citizen Lab.

“As we detail in a new report, the attachment led our researchers to uncover an elaborate cyberespionage campaign operating out of Iran. Among the malware was a malicious spyware, including a remote access tool called “Droidjack,” that allows attackers to silently control a mobile device. When Droidjack is installed, a remote user can turn on the microphone and camera, remove files, read encrypted messages, and send spoofed instant messages and emails. Had she opened it, she could have put herself, her friends, her family and her associates back in Syria in mortal danger.”

Read The Washington Post Op Ed

Like many previously-reported operations, Group5 combines “just enough” technical sophistication, the use of obfuscation tools to hide from antivirus, and well-developed deceptions. 

“Group 5 displayed a chameleon-like ability to borrow the language and style of the opposition. Social Engineering is a proven technique, and unfortunately human behavior can’t be “patched”, ” said research team leader John Scott-Railton.

Malware attacks against the Syrian opposition are nothing new. The Citizen Lab and other researchers have tracked at least four campaigns since at least late 2011.

But Group5 stands out from these cases for its use of new tactics, tools, and infrastructure. 

“The Syrian opposition has been the target of digital attacks for around five years, but we believe that Group5 is a new player in the game,” Scott-Railton said. 

Much of Group5’s activity suggests that the operators prefer working with Iranian-developed tools, and an Iranian hosting company. While the report stops short of conclusively linking Group5 to a particular group, the evidence is strong enough that the researchers speculate that the group may be Iran-based. 

“We do not attribute Group5 to a particular sponsor, but the operation has many features indicating that the operators may be Iranian, from tools, to language, to servers,” Scott-Railton said.

The research shows how the Internet, a powerful tool for online organizing and opposition movements, can also be leveraged by malicious groups, said Deibert. It also highlights the continued threat faced by the Syrian opposition, and its many partners, from malware campaigns.

“The report demonstrates yet again that civil society groups are persistently targeted by digital malware campaigns, and that their reliance on shared social media and digital mobilization tools can be a source of serious vulnerability when exploited by operators using clever social engineering methods,” Deibert said.

Read more about The Citizen Lab at U of T and its research uncovering cyber espionage campaigns and other targeted digital attacks against human rights organizations.



The Bulletin Brief logo

Subscribe to The Bulletin Brief