Skype hackers breach Syria battlefield intelligence

News by Adrian Bridgwater

An unspecified cyber-espionage group has reportedly used Skype and social media to steal battle plans belonging to opponents of Syrian president Bashar Al-Assad according to a report issued by FireEye.

The cyber-security detection company suggests that the compromised data belongs to opponent forces as well as media activists and humanitarian aid workers. has learned that the ‘Behind the Syrian Conflict's Digital Front Lines' report points to work carried out by a cyber-espionage group whose tactics included ensnaring victims through conversations with apparently compassionate and attractive women.

As the conversations progressed, hackers operating the female avatars and virtual persona would offer up a personal photograph file pre-loaded with malware to infiltrate a target's computer or Android phone.

Socially awkward, militarily speaking

“In the course of our threat research, we found this activity focused on the Syrian opposition, showing another innovative way threat groups have found to gain the advantage they seek,” said Nart Villeneuve, senior threat intelligence researcher at FireEye. “While we cannot positively identify who is behind these attacks, we know that they used social media to infiltrate victims' machines and steal military information that would provide an advantage to President Assad's forces on the battlefield.”

Between dates estimated to stretch from November 2013 and January 2014, the unnamed group stole a cache of what are thought to be critical documents and Skype conversations revealing the Syrian opposition's strategy, tactical battle plans, supply needs and personal information.

In terms of methods and tactics here - over the course of a Skype conversation the attacker would ask the victim what type of device the (invariably male) user was using to chat. By determining whether it was a phone or a computer, the hackers would then send appropriately tailored malware.

Shellcode payload magnitude

The hackers employed a diverse malware toolset that implies some access to development resources. They used both widely available and custom-tailored malware to breach their targets including the DarkComet RAT, a customised keylogger. DarkComet is a widely available, stable, and easy-to-use remote administration tool (RAT) that allows a threat actor to control a compromised system. They also used tools with different shellcode payloads to differ the potential exploitation magnitude in each case.

Writing in the New York Times on this story, David E. Sanger and Eric Schmitt said that the Syrian conflict has been marked by a “very active, if only sporadically visible cyber-battle” that has engulfed all sides. “[This battle is] one that is less dramatic than the barrel bombs, snipers and chemical weapons — but perhaps just as effective. The United States had deeply penetrated the web and phone systems in Syria a year before the Arab Spring uprisings spread throughout the country. And once it began,  Assad's digital warriors have been out in force, looking for any advantage that could keep him in power.”

This latest round of strategic cyber-espionage comes in the wake of what is obviously huge unrest in the region and further upsets caused by the so-called Syrian Electronic Army. This non-violent pro-governmental group has gained notoriety for hacking, defacement activities, distribution of malware, denial of service attacks and phishing.

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews