It began with one of the oldest tricks in the book, "pillow talk," but with a modern twist. A newly discovered cyberattack campaign provides a rare inside look at hacking operations for military advantage or sabotage.
Researchers from FireEye today published their findings on attacks against Syrian opposition forces that resulted in the theft of 7.7 gigabytes of data, including sensitive military operations plans, supply requirements, online credentials, and personal information and online conversations of anti-Assad regime operatives.
The attacks started with the attackers posing on Skype as young women sympathetic to the anti-Assad movement targeting opposition group members. The phony female would initiate a chat conversation and dupe the victim into downloading her PDF-based photo, which, when opened, installed a remote access Trojan (RAT) and other malware to spy and steal information--including the victim's Skype account databases--from their computers and Android smartphones.
The phony females--who also had their own Facebook account profiles--even casually inquired of the victims whether they were on a computer or their Android phone so they could deliver the appropriate malware payload. The attackers also ran a website purporting to be pro-regime opposition that contained malware and Facebook profiles with malware-laden links. The attacks and subsequent data theft appear to have occurred during the period of November 2013 through January 2014, according to FireEye.
"We were able to confirm cases from the exfiltrated [stolen] Skype chats where they used this tactic" of a phony female reaching out via Skype, says Nart Villeneuve, a security researcher with FireEye, which discovered the server of stolen information while studying malware that uses password-protected PDF files. "And the fake website delivered malware [via] videos and a Facebook phishing page set up to steal credentials and propagating links via Facebook profiles. We assume victims were probably compromised by a combination of these factors."
The attackers employed the infamous DarkComet RAT, as well as a custom keylogger and other tools with multiple shellcode payloads, according to FireEye. "They used a combination of publicly available and custom tools. Even the publicly available DarkComet was delivered using a custom dropper, which indicates the attackers have development capabilities or have access to developers who can produce this malware for them," Villeneuve says. And the tools were unlike any seen before used by attackers linked to the Syrian conflict, he says.
Offensively, the well-oiled operation targeting the Syrian government opposition forces and efforts was thorough and successful in gathering some valuable intelligence about the opposition forces' plans to attack Assad's forces, as well as personal information on Syrian refugees in Turkey and other nations, and media and communications operations. But when it came to protecting the information they stole, the attackers fell sadly short; the researchers found the stolen information on an FTP server sitting wide open on the Internet, without any credentials required to access it.
FireEye researchers had traced a malware sample to a specific command-and-control server, where they then discovered the FTP server hosting the stolen documents, plus the phony anti-regime website on the C&C server.
"It's interesting to look at their capabilities in terms of their ability to attack their targets--their skill levels in social engineering resources, and for tools. They have done a pretty good job on the attacking side. But on the defending side, they are certainly not as strong," Villeneuve says. "It shows you can be good at offense, but not on defense," he says.
The lack of sophistication when it comes to protecting their stolen booty is a common theme among "second-tier" attackers like this, says Rick Howard, CSO of Palo Alto Networks. "This has been my experience with the second-tier guys--not the government [nation-state] folks. They're pretty good hackers, but not security defenders," Howard says. And many cyber espionage groups out of China don't care about getting caught, either, he says.
Even so, the attacks are yet more evidence of the growing trend of rogue nations' interior ministries incorporating cyber counter-intelligence into their arsenal, says Tom Kellermann, chief cybersecurity officer at Trend Micro. "They have benefited from the military alliance with the Russians, which has bestowed technological capability to enhance traditional tradecraft."
As for the MO of the pro-Assad government attackers, Kellermann says it's not really surprising. "We had to have expected this type of dramatic evolution" of old-school "pillow talk," he says. "This attack is not as elegant" as that of a sophisticated nation-state, he says, but it reflects an evolution of rogue states and terrorist groups waging more than just propaganda attacks or money-laundering.
The hacking operation against the Syrian rebels went silent last year after FireEye first reported the rogue server to the German service provider hosting it. "We haven't been able to pick up their trail again," Villeneuve says.
An expert on cyber attacks against opposition groups and the media in Syria and Libya who co-authored the FireEye report says the attackers were careful to pick high-profile members of the Syrian government opposition, but they also caught others in their net, thanks to the common practice of computer-sharing via satellite in Syria, due to limited Internet access. John-Scott Railton, a research fellow with Citizen Lab at the University of Toronto, says the opposition leaders rely heavily on Skype for their communications. "The number of people of interest [the attackers breached] is pretty high. They got lucky in some cases, by targeting one person who was sharing a computer with others," Railton says.
Skype for some time has been a popular attack vector against Syrian government opponents. Two years ago, Malwarebytes published a report detailing how attackers employed a compromised Skype account that lured victims to a "video" link about anti-government issues that ultimately downloaded a remote access Trojan, including BlackShades and DarkComet. The Syrian rebels themselves also have been known to employ RATs, according to Malwarebytes.
Meanwhile, FireEye stopped short of attributing the attacks to the Syrian government or any sympathetic groups or nations. But there was a definite Lebanon connection, notes Railton. "It suggests a familiarity with Lebanese contacts and contracts," he says of the references they found.
The researchers spotted a user in Lebanon uploading what appeared to be test versions of the YABROD downloader and CABLECAR malware launcher used in the attacks. There also are several references to Lebanon by the phony female Skype connections, plus a reference to a training course for pro-Assad recruits that use the same types of tactics as those used in the attacks on the Syrian rebels. The references to Lebanon could well be false flags aimed at hiding the real attackers and their origins, however.
"Unlike other threat activity that we have profiled, this is not just cyber espionage aimed at achieving an information edge or a strategic goal. Rather, this activity, which takes place in the heat of a conflict, provides actionable military intelligence for an immediate battlefield advantage. It provides the type of insight that can thwart a vital supply route, reveal a planned ambush, and identify and track key individuals," the report says.