Syrian Opposition Exploited by Malware

A new FireEye report details how attackers were able to target groups within the Syrian opposition to learn battlefield tactics and strategy.

security worries

Malware is being used as a tactical weapon to gain intelligence in the ongoing Syrian civil war, according to a new report from security firm FireEye.

FireEye found that attackers were able to target Syrian opposition groups to gain battlefield intelligence in a campaign that included 240,381 messages and resulted in 7.7GB of stolen data. Attackers leveraged social network tools including Skype and Facebook to trick victims into giving up information and loading malware that was able to exfiltrate information.

In the case of the Syrian opposition, there is no centralized computing infrastructure with servers and databases; instead, the hacker campaign had to get information from individual endpoints.

"The Syrian opposition fighters do not have complicated infrastructure. They rely on shared computers and mobile devices," Jen Weedon, manager of Threat Intelligence and Strategic Analysis at FireEye, told eWEEK. "They have a decentralized operation, and as such the data and the intelligence are very spread out."

One part of the campaign involved taking advantage of a target victim's Skype contact list. The attackers at various points pretended to be women wanting to discuss items with the Syrian opposition over Skype. Weedon noted that since the Syrian opposition shares infrastructure, there could be a lot of contact information on any one individual device.

"Once the attackers could get through on one account, that would allow for access to a lot more information than just the one individual person," Weedon said.

Hacking activity with Syrian origins is not an entirely new phenomenon. In 2013 and 2014, the Syrian Electronic Army (SEA) attacked media outlets including Reuters, Washington Post, The New York Times and CNN. The SEA is a group that is loosely associated with the government of Syrian leader Bashar al-Assad. Weedon said that the newly uncovered campaign against the Syrian opposition appears to be unrelated to the SEA and uses different tactics.


In terms of the actual malware used in the campaign to target the Syrian opposition, Weedon said it did not include zero-day exploits and it largely focuses on Microsoft Windows operating systems for deployment. There was some evidence that the attackers also had the potential to leverage some Android malware as well, Weedon added.

One of the primary tools used in the Syrian opposition attack is what is known as a multistage RAR dropper. An RAR file is a compressed archived file that may include any number of different malware payloads, such as a keylogger.

"They used widely available tools and stuff that is publicly available," Weedon said. "The benefit of using malware that is publicly available is that it obfuscates the origin."

FireEye was able to identify that the malware used was being managed by a command and control (C&C) server in Europe, though that doesn't necessarily link the attack to any particular place of origin.

Weedon added that the attacks against the Syrian opposition weren't using particularly sophisticated tools. From a defensive perspective, the attacks likely could have been prevented with the proper use of antivirus software as well as fully up-to-date and patched software.

"They were definitely not using any zero-day exploits, but if you're on the battlefield looking to overthrow a regime, probably patching your computer is the last thing on your mind," Weedon said.

Sean Michael Kerner is a senior editor at eWEEK and Follow him on Twitter @TechJournalist.

Sean Michael Kerner

Sean Michael Kerner

Sean Michael Kerner is an Internet consultant, strategist, and contributor to several leading IT business web sites.