Hackers targeted Syrian rebel fighters with online “honey traps,” posing as female supporters to steal battle plans and the identity of defectors, a security firm said Monday.
Syrian armed opposition groups lost critical information when its militants fell victim to a “femme fatale” scheme using Skype chats that injected computers and phones with malware.
The security firm FireEye said it uncovered the hacking scheme that stole tactical battle plans, geographical coordinates, information on weapons and other key data in a period from November 2013 to January 2014, and possibly longer.
The names of the targeted rebel groups were not revealed by FireEye.
The hackers lured militants into online chats with attractive female avatars, eventually delivering a malware-laden photo, that allowed the operators of the scheme to steal “scores of documents that shed valuable insight into military operations planned against President (Bashar al-) Assad’s forces,” FireEye said in a report.
The method was particularly fruitful because Syrian rebels were often sharing computers, meaning one machine yielded information from multiple victims.
“The hackers stole a cache of critical documents and Skype conversations revealing the Syrian opposition’s strategy, tactical battle plans, supply needs, and troves of personal information and chat sessions,” the report said.
“Sometimes, the threat group would take whole sets of files pertaining to upcoming large-scale military operations. These included correspondence, rosters, annotated satellite images, battle maps, orders of battle, geographic coordinates for attacks, and lists of weapons from a range of fighting groups,” it added.
The group asked its targets about the device they used — computer or Android phone — probably to deploy malware specifically tailored to that device, FireEye said.
In addition to the military and political documents stolen, the group also accessed the Skype databases of the victims to get contacts and real time communications, “providing the threat actors with an inside view into the opposition’s relationships and plans.”
FireEye said it lacked sufficient information to determine the identity of the hackers or their ties to the Syrian government, but noted that “we have some indications that the group may be resourced and/or located outside of Syria.”
“We found the activity focused on the Syrian opposition that shows another innovative way threat groups have found to gain the advantage they seek,” said Nart Villeneuve, a researcher at FireEye.
“While we cannot positively identify who is behind these attacks, we know that they used social media to infiltrate victims’ machines and steal military information that would provide an advantage to President Assad’s forces on the battlefield.”
The hackers also used other tactics, including creating fake social media accounts and Syrian opposition websites that encouraged visitors to click on links that would infect their computers.
The hacking provided “actionable military intelligence for an immediate battlefield advantage” in the case of the planned Khirbet Ghazaleh attack.
It captured “the type of insight that can thwart a vital supply route, reveal a planned ambush and identify and track key individuals.”
In May 2013, the Syrian army stormed Khirbet Ghazaleh which was rebel-held at the time and being used to block the highway between Damascus and Daraa.
Syria’s conflict has involved other documented cases of cyber warfare, by both pro-regime and opposition activists.
Some of the most high-profile include attacks by the so-called Syrian Electronic Army, a group of pro-government hackers who have attacked social media accounts belonging to media outlets and politicians and high-profile websites, including one belonging to the US marines and the New York Times’s page.
In August, whistleblower Edward Snowden revealed that a team of US National Security Agency (NSA) hackers were responsible for the Internet blackout Syria experienced in 2012, due to the failed installation of a surveillance software in the war-torn country’s main service provider, enabling the NSA to intercept most — if not all — communications.
The most recent news of cyber warfare came on January 12 when a group declaring support for the Islamic State of Iraq and Syria (ISIS) Islamist group hacked US Central Command’s (Centcom) Twitter and Youtube accounts, forcing the military to suspend the command’s Twitter feed.
In a propaganda setback for the US military, a black-and-white banner with the words “CyberCaliphate” and “I love you ISIS” replaced Central Command’s usual logo on Twitter and YouTube before the pages were suspended.
Central Command oversaw the wars in Iraq and Afghanistan and is managing the US airstrikes against ISIS.
Moreover, hackers claiming to be Islamists have hijacked hundreds of French websites since the attacks on the satirical weekly Charlie Hebdo, flooding them with jihadist propaganda.
“We can speak of cyber-jihad, and hacking is just the tip of the iceberg and also the least dangerous since the only consequence is the display of an ideology,” said European technical director at cybersecurity firm Checkpoint Thierry Karsenti at the time.
Hackers Steal Syrian Rebels Battle Plans: Security Firm | Al Akhbar English.