Threat Intelligence, Incident Response, Malware, TDR

Hackers used social engineering to glean military intel on Syrian opposition

Researchers have uncovered a hacking operation that was focused of collecting military intelligence for Pro-Assad parties in the Syrian conflict.

On Monday, security firm FireEye released a report (PDF) detailing the threat group, which ultimately stole a cache of sensitive data that included documents and more than 31,000 logged Skype chat sessions, some of which revealed tactical battle plans against Syrian President Bashar al-Assad's forces. According to FireEye, the group's data exfiltration efforts took place between November 2013 and January 2014, with victims ranging from armed opposition members, to humanitarian aid workers and media activists in and outside of Syria.

The report, called “Behind the Syrian Conflict's Digital Front Lines,” also revealed that hackers used social engineering to distribute malware to their targets.

Using female Skype avatars, attackers posed as “seemingly sympathetic and attractive women,” who, at some point in the conversation, lured targets into opening personal photos which were actually malware.

The report noted that attackers often asked victims if they were on their computer or mobile device, so as to send the appropriate malware. It was the first time FireEye researchers observed a threat group targeting the Syrian opposition with Android malware, the report added.

Other malicious tools in the threat group's arsenal were the DarkComet remote access trojan (RAT) and a customized keylogger.

In a Monday interview with, Nart Villeneuve one of the researchers that co-authored the threat report, explained that attackers “wrapped [the RAT] in another piece of software that would inject DarkComet into the memory” of machines.

The custom dropper used to install DarkComet, was one that researchers hadn't seen used by any other Syrian related malware groups, Villeneuve said.

In the report, FireEye noted that the threat group was “likely able to acquire large collections of data by breaching only a relatively small number of systems due to the opposition's use of shared computers for satellite-based internet access.” And while it was hard for analysts to determine the exact number of victims in the campaign, Villeneuve estimated that 28 computers were compromised by the threat group, which left 64 Skype databases accessible to attackers, since multiple people used the same computers.

“They were also able to exfiltrate documents, like Excel sheets, and photos,” Villeneuve said in his interview.

In conclusion, the reported highlighted the fact that the campaign was “not just cyberespionage aimed at achieving an information edge or strategic goal.”

“Rather, this activity, which takes place in the heat of a conflict, provides actionable military intelligence for an immediate battlefield advantage,” the report said, later adding the this “tactical edge comes with a potentially devastating human cost." Military-related data netted by attackers included information about military hardware and the positions of fighting groups, the names of those fighting and their weapons systems, lists of refugee aid recipients and casualties, records for humanitarian efforts and funding, and political strategy and military planning communications.

In Appendix A of the report, researchers provided a detailed analysis of the malware used in the campaign, including attackers' Android backdoors, a keylogger, dubbed ONESIZE, and the custom dropper for DarkComet, called BLACKSTAR.

FireEye added that, while researching malicious activity traced back to the threat group, it “came across numerous references to Lebanon,” including a user in the country uploading test versions of malware used in the campaign, and chats where hackers (using social engineering ploys) said they were in Lebanon.

“Social media pages suggest that the [female] avatars are refugees in the country, or are Lebanese,” the report added.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.