There have been many fatal female spy figures in history, most famously that of Mata Hari and perhaps most recently that of Anna Chapman. The "tradition" seems to continue in today's networked age, even if the "fatal women" who ensnared Syrian opposition figures, intercepting battle plans and other extremely important data for their operations against the Assad regime.
According to extensive study of cyber-security company Fire Eye, between November 2013 and January of 2014, unknown hackers stole large amounts of data, including documents and discussions via Skype that revealed the general opposition strategy, regular battle plans, supply needs, and large volumes of personal data and records chats that belonged to men of the forces that were fighting against the government powers of President Assad.
"Although we do not know who was doing this hacking business, if these data were acquired by the Assad forces or their allies, they would have gained a significant advantage in the battlefield," he said.
In the context of this operation, its perpetrators used a well-known tactic, which may have changed over the centuries, but in essence remains unchanged: trapping (or "fishing") the targets through discussions with (supposed) attractive women , which appeared positively adjacent to the Syrian opposition.
"A female avatar began chatting on Skype and shared a" personal "photo of her with the goal. Before sending it, he typically asks for what device the user was using - an Android phone or a computer - most likely by seeking to send specifically "targeted" malware. Once the target downloaded the malware-loaded photo, the attackers gained access to their device, searched through their files and chose and stole data that identified members of the opposition, their Skype logs, contacts and a large number of documents that provided valuable information on military operations planned against President Assad's forces, "the survey said.
The findings are as follows:
- Data stolen: The perpetrators robbed hundreds of files and 31.107 registered chats on Skype that included discussions about plans and accounting support for attacks against Assad
- Victims: Targets included armed opposition fighters, media activists, humanitarian workers, and others. The victims were in Syria, the wider area and beyond
- Tactics and techniques: The perpetrators used female avatars on Skype to initiate discussions with their targets and infect their devices with malware. "She" was asking if she was using Skype on an Android or computer device in an attempt to send malware specifically designed for the device. Also, the perpetrators kept a seemingly friendly opposition site, containing links to malicious downloads and Facebook profiles, also with malicious links. They conducted these operations using servers that were located outside Syria.
- malware: The perpetrators used a wide range of "malware" tools, which implies access to development capabilities. They used so widely available and custom malware to "hit" their targets, including DarkComet RAT, a specially configured keylogger, as well as instruments with different shellcode payloads.
- Possible Sponsors: Although there are only limited indications as to the origin of the activity, Fire Eye's research has indicated multiple references to Lebanon - both in the context of the malware study and the activity of avatars on social networks.
Types of information stolen
The unknown actors collected a significant amount of data, from databases for Skype accounts to drawing and photo documents. Most of these data were collected from May 2013 to December of the same year. Some of the databases that have been overwhelmed refer to 2012. "The perpetrators carefully chose what they stole, there were only a few cases where movies, empty files, licenses, baby photos, school papers, and other seemingly irrelevant materials were downloaded.
The volume of data
The "X-ray" of the data overcrowded was as follows: 7,7 GB stolen data, 12.356 contacts, 64 databases from Skype accounts, 31.107 conversations, 240.381 messages.
The primary objective was military information, while names with names lists seemed to be of particular importance. There were dozens of lists of fighter names that were members of armed groups. Some lists included birth names and dates, while others contained men's weapons and serial numbers, blood groups, and phone numbers.
The perpetrators also stole lists of officers in the Assad forces and images of alleged Hezbollah fighters captured or killed in Syria, as well as images of men of aging with weapons or paramilitary uniforms. Also, political chat logs were stolen, as the interlocutors discussed alliances and criticized individuals. Some archives have details of the political structures of the opposition, including political party formations, and so on. In addition, material on humanitarian activities in Syria and surrounding countries, refugee data, data on media operations, and certificates that would allow the monitoring of opposition communications over time have been obtained.
Digital "seduction"
The use of female avatars has been a key feature of the campaign, with the aim of launching talks with men in the Syrian opposition on Skype and following an interlink on Facebook. The avatars had names that were true to the region and approached the victims with a series of personal questions. The first two were usually "how do you get into Skype?
Με υπολογιστή ή με το τηλέφωνό σου;» και «πόσων χρονών είσαι;». Η πρώτη θεωρείται πως αποσκοπούσε στο να διαπιστωθεί τι είδους malware θα έπρεπε να αποσταλεί για την παραβίαση της συσκευής του στόχου. Στη συνέχεια ζητούσαν μια φωτογραφία του θύματος και έστελναν μια «προσωπική φωτογραφία» της womanς σε αντάλλαγμα. Η «φωτογραφία» στην πραγματικότητα ήταν εκτελέσιμο αρχείο, το οποίο και όταν ο χρήστης εκτελούσε προβαλλόταν μια φωτογραφία γυναίκας ενώ παράλληλα περνούσε από πίσω το DarkComet RAT. Από εκεί και πέρα, ο υπολογιστής του θύματος ήταν υπό τον έλεγχο των δραστών.
Other personal questions are believed to help the perpetrators gather information about the target. Occasionally, discussions with victims continued again after an absence for a long period of time to collect additional details.
Origin
Τα μέσα και οι τακτικές των δραστών έρχονται σε αντίθεση με τρόπους που χρησιμοποιήθηκαν από άλλες συριακές ομάδες. Επιπλέον, υπάρχουν ενδείξεις ότι η organization ενδεχομένως να έχει την έδρα της εκτός της Συρίας.
Το malware που χρησιμοποιήθηκε δεν μοιράζεται servers διοικήσεως και ελέγχου (command&control servers) με αντίστοιχη δραστηριότητα που έχει καταγραφεί από εταιρείες όπως η Kaspersky, η Trend Micro, η CitizenLab και το Electronic Frontier Foundation. Additionally, the activity is inconsistent with tactics or means associated with ISIS-related activity. Evidence found points in the direction of Lebanon, as there are several reports, with some of them on social media pages suggesting that the avatars belong to refugees in the country, or Lebanese citizens.
Conclusions
As emphasized at the end of the investigation, in contrast to other activities that have been recorded, "this is not simply cyber espionage aimed at gaining an informational advantage or achieving a strategic goal. Instead, the activity in question, which takes place in the midst of an ongoing conflict, provides useful military information that can be exploited for immediate battlefield advantages. It provides the kind of information that can cut off a vital supply route, uncover a planned ambush, and identify and enable the tracking of important individuals. This information likely plays an important role in the adversary's operational plans and tactical decisions. However, this tactical advantage comes at a likely devastating human cost."
