海角视频

Syrian dissidents targeted by hackers: U of T's Citizen Lab

鈥淭he operation has many features indicating that the operators may be Iranian,鈥 John Scott-Railton says
photo of Noura Al-Ameer
Syrian opposition politician Noura Al-Ameer received emails from a fictitious group that included malicious PowerPoint documents containing malware; in a curious twist, her own identity was falsely used to register the assadcrimes website

The Citizen Lab at the Munk School of Global Affairs at the University of Toronto has revealed a new cyber-espionage operation targeting the Syrian opposition.  

Its, which details how targets were tricked into opening malicious files and links containing malware capable of monitoring computers and Android phones, is making headlines around the world.

The operation, which the researchers name Group5, was first uncovered when Syrian opposition politician Noura Al-Ameer received e-mails from 鈥淎ssad Crimes,鈥 a fictitious group. 

In an Op Ed in The Washington Post, Professor Ron Deibert, director of the Citizen Lab, described what happened next.

鈥淎l-Ameer is a net savvy activist, and so when she received a legitimate looking email containing a PowerPoint attachment addressed to her and purporting to detail 鈥淎ssad Crimes,鈥 she could easily have opened it. Instead, she shared it with us at .

鈥淎s we detail in, the attachment led our researchers to uncover an elaborate cyberespionage campaign operating out of Iran. Among the malware was a malicious spyware, including a remote access tool called 鈥淒roidjack,鈥 that allows attackers to silently control a mobile device. When Droidjack is installed, a remote user can turn on the microphone and camera, remove files, read encrypted messages, and send spoofed instant messages and emails. Had she opened it, she could have put herself, her friends, her family and her associates back in Syria in mortal danger.鈥

Like many previously-reported operations, Group5 combines 鈥渏ust enough鈥 technical sophistication, the use of obfuscation tools to hide from antivirus, and well-developed deceptions. 

鈥淕roup 5 displayed a chameleon-like ability to borrow the language and style of the opposition. Social Engineering is a proven technique, and unfortunately human behavior can鈥檛 be 鈥減atched鈥, 鈥 said research team leader John Scott-Railton.

Malware attacks against the Syrian opposition are nothing new. The Citizen Lab and other researchers have tracked at least four campaigns since at least late 2011.

But Group5 stands out from these cases for its use of new tactics, tools, and infrastructure. 

鈥淭he Syrian opposition has been the target of digital attacks for around five years, but we believe that Group5 is a new player in the game,鈥 Scott-Railton said. 

Much of Group5鈥檚 activity suggests that the operators prefer working with Iranian-developed tools, and an Iranian hosting company. While the report stops short of conclusively linking Group5 to a particular group, the evidence is strong enough that the researchers speculate that the group may be Iran-based. 

鈥淲e do not attribute Group5 to a particular sponsor, but the operation has many features indicating that the operators may be Iranian, from tools, to language, to servers,鈥 Scott-Railton said.

The research shows how the Internet, a powerful tool for online organizing and opposition movements, can also be leveraged by malicious groups, said Deibert. It also highlights the continued threat faced by the Syrian opposition, and its many partners, from malware campaigns.

鈥淭he report demonstrates yet again that civil society groups are persistently targeted by digital malware campaigns, and that their reliance on shared social media and digital mobilization tools can be a source of serious vulnerability when exploited by operators using clever social engineering methods,鈥 Deibert said.

and its research uncovering cyber espionage campaigns and other targeted digital attacks against human rights organizations.

 

Topics

The Bulletin Brief logo

Subscribe to The Bulletin Brief