Figures of frightening spy women have been many in history, most notably that of Mata Hari and perhaps more recently that of Anna Chapman. "Tradition" seems to continue in the current, networked era, even if the "frenzied women" trapped by members of the Syrian opposition, intercepting battle plans and other extremely important elements for their operations against the Assad regime.
According to extensive study of cyber-security company Fire Eye, between November 2013 and January of 2014, unknown hackers stole large amounts of data, including documents and discussions via Skype that revealed the general opposition strategy, regular battle plans, supply needs, and large volumes of personal data and records chats that belonged to men of the forces that were fighting against the government powers of President Assad.
"Although we do not know who was doing this hacking business, if these data were acquired by the Assad forces or their allies, they would have gained a significant advantage in the battlefield," he said.
In the context of this operation, its perpetrators used a well-known tactic, which may have changed over the centuries, but in essence remains unchanged: trapping (or "fishing") the targets through discussions with (supposed) attractive women , which appeared positively adjacent to the Syrian opposition.
“A female avatar would start a Skype conversation and share a 'personal' photo of herself with the target. Before sending it, it usually asked what device the user was using – an Android phone or computer- in all probability seeking to send specially "targeted" malicious software (malware). Once the target downloaded the malware-laden photo, the attackers would gain access to their device, search through their files and select and steal data identifying members of the opposition, their Skype chat logs and contacts, and a large number of documents that provided valuable information about military operations being planned against President Assad's forces," the investigation said.
The findings are as follows:
- Data stolen: The attackers stole hundreds of files and 31.107 recorded Skype chats that included discussions about plans and accounting support of attacks against Assad's forces
- Victims: Targets included armed opposition fighters, media activists, humanitarian workers, and others. The victims were in Syria, the wider area and beyond
- Tactics and techniques: The perpetrators used female avatars on Skype to initiate discussions with their targets and infect their devices with malware. "She" was asking if she was using Skype on an Android or computer device in an attempt to send malware specifically designed for the device. Also, the perpetrators kept a seemingly friendly opposition site, containing links to malicious downloads and Facebook profiles, also with malicious links. They conducted these operations using servers that were located outside Syria.
- malware: The perpetrators used a wide range of malware "tools", implying access to development capabilities. They used so widely available as well as custom malware to hit their targets, including the DarkComet RAT, a specially configured keylogger, as well as media with different shellcode payloads.
- Possible Sponsors: Although there are only limited indications as to the origin of the activity, Fire Eye's research has indicated multiple references to Lebanon - both in the context of the malware study and the activity of avatars on social networks.
Types of information stolen
The unknown actors collected a significant amount of data, from databases for Skype accounts to drawing and photo documents. Most of these data were collected from May 2013 to December of the same year. Some of the databases that have been overwhelmed refer to 2012. "The perpetrators carefully chose what they stole, there were only a few cases where movies, empty files, licenses, baby photos, school papers, and other seemingly irrelevant materials were downloaded.
The volume of data
The "X-ray" of the data overcrowded was as follows: 7,7 GB stolen data, 12.356 contacts, 64 databases from Skype accounts, 31.107 conversations, 240.381 messages.
The primary objective was military information, while names with names lists seemed to be of particular importance. There were dozens of lists of fighter names that were members of armed groups. Some lists included birth names and dates, while others contained men's weapons and serial numbers, blood groups, and phone numbers.
The perpetrators also stole lists of officers in the Assad forces and images of alleged Hezbollah fighters captured or killed in Syria, as well as images of men of aging with weapons or paramilitary uniforms. Also, political chat logs were stolen, as the interlocutors discussed alliances and criticized individuals. Some archives have details of the political structures of the opposition, including political party formations, and so on. In addition, material on humanitarian activities in Syria and surrounding countries, refugee data, data on media operations, and certificates that would allow the monitoring of opposition communications over time have been obtained.
Digital "seduction"
The use of female avatars has been a key feature of the campaign, with the aim of launching talks with men in the Syrian opposition on Skype and following an interlink on Facebook. The avatars had names that were true to the region and approached the victims with a series of personal questions. The first two were usually "how do you get into Skype?
With your computer or your phone? "And" How old are you? " The first is thought to have been aimed at detecting what kind of malware should be sent for violation of the target device. They then asked for a photograph of the victim and sent a woman's "personal photo" in return. The "photograph" was actually an executable file, which even when the user was running a photo of a woman was being photographed while the DarkComet RAT was passing behind. From then on, the victim's computer was under the control of the perpetrators.
Other personal questions are believed to help the perpetrators gather information about the target. Occasionally, discussions with victims continued again after an absence for a long period of time to collect additional details.
Origin
The means and tactics of the perpetrators contradict ways used by other Syrian groups. In addition, there are indications that the organization may have its headquarters outside Syria.
The malware used does not share administration servers and control (command&control servers) with corresponding activity recorded by companies such as Kaspersky, Trend Micro, CitizenLab and the Electronic Frontier Foundation. Additionally, the activity is inconsistent with tactics or means associated with ISIS-related activity. Clues found point in the direction of Lebanon, as there are several reports, with some of them on social media pages suggesting that the avatars belong to refugees in the country, or Lebanese citizens.
Conclusions
As emphasized at the end of the investigation, in contrast to other activities that have been recorded, "this is not simply cyber espionage aimed at gaining an informational advantage or achieving a strategic goal. Instead, the activity in question, which takes place in the midst of an ongoing conflict, provides useful military information that can be exploited for immediate battlefield advantages. It provides the kind of information that can cut off a vital supply route, uncover a planned ambush, and identify and enable the tracking of important individuals. This information likely plays an important role in the adversary's operational plans and tactical decisions. However, this tactical advantage comes at a likely devastating human cost."
