FireEye, the leader in stopping today’s advanced cyber attacks, has released “Behind the Syrian Conflict’s Digital Front Lines,” a report from the FireEye Threat Intelligence team detailing the activities of a cyber-espionage group that stole Syrian opposition’s strategies and battle plans. To undertake this operation, the threat group employed a familiar tactic: ensnaring its victims through conversations with seemingly sympathetic and attractive women. As the conversations progressed, the “women” would offer up a personal photo, laden with malware and developed to infiltrate the target’s computer or Android phone.
“In the course of our threat research, we found the activity focused on the Syrian opposition that shows another innovative way threat groups have found to gain the advantage they seek,” said Nart Villeneuve, senior threat intelligence researcher at FireEye. “While we cannot positively identify who is behind these attacks, we know that they used social media to infiltrate victims’ machines and steal military information that would provide an advantage to President Assad’s forces on the battlefield.”
Between at least November 2013 and January 2014, the group stole a cache of critical documents and Skype conversations revealing the Syrian opposition’s strategy, tactical battle plans, supply needs, and troves of personal information and chat sessions. This data belonged to the men fighting against Syrian President Bashar al-Assad’s forces as well as media activists, humanitarian aid workers, and others within the opposition located in Syria, the region and beyond.
During analysis by FireEye Threat Intelligence, a unique tactic of the threat group was uncovered. Over the course of a Skype conversation the attacker would ask the victim what type of device he was using to chat. By determining whether it was an Android phone or a computer, the hackers would then send appropriately tailored malware.
FireEye Threat Intelligence has found limited indications about the threat group’s origins, but if the data was acquired by President Assad’s forces or allies, it would benefit his military efforts.
Stolen data includes:
- Battle plans and maps
- Supply needs and routes
- Weaponry and ammunition lists
- Personal information of, and chat sessions with, men fighting against President Assad’s forces
The full report is available here:
Indicators of Compromise associated with this activity are available at: https://github.com/fireeye/iocs/master/BlogPosts.