Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Mobile

2/2/2015
05:45 PM
Connect Directly
Google+
Twitter
RSS
E-Mail
100%
0%

Syrian Opposition Forces Social-Engineered And Hacked

Researchers uncover trove of sensitive information and details of Syrian government opposition plans and players -- pilfered by pro-Assad government hackers.

It began with one of the oldest tricks in the book, "pillow talk," but with a modern twist. A newly discovered cyberattack campaign provides a rare inside look at hacking operations for military advantage or sabotage.

Researchers from FireEye today published their findings on attacks against Syrian opposition forces that resulted in the theft of 7.7 gigabytes of data, including sensitive military operations plans, supply requirements, online credentials, and personal information and online conversations of anti-Assad regime operatives.

The attacks started with the attackers posing on Skype as young women sympathetic to the anti-Assad movement targeting opposition group members. The phony female would initiate a chat conversation and dupe the victim into downloading her PDF-based photo, which, when opened, installed a remote access Trojan (RAT) and other malware to spy and steal information--including the victim's Skype account databases--from their computers and Android smartphones.

The phony females--who also had their own Facebook account profiles--even casually inquired of the victims whether they were on a computer or their Android phone so they could deliver the appropriate malware payload. The attackers also ran a website purporting to be pro-regime opposition that contained malware and Facebook profiles with malware-laden links. The attacks and subsequent data theft appear to have occurred during the period of November 2013 through January 2014, according to FireEye.

"We were able to confirm cases from the exfiltrated [stolen] Skype chats where they used this tactic" of a phony female reaching out via Skype, says Nart Villeneuve, a security researcher with FireEye, which discovered the server of stolen information while studying malware that uses password-protected PDF files. "And the fake website delivered malware [via] videos and a Facebook phishing page set up to steal credentials and propagating links via Facebook profiles. We assume victims were probably compromised by a combination of these factors."  

The attackers employed the infamous DarkComet RAT, as well as a custom keylogger and other tools with multiple shellcode payloads, according to FireEye. "They used a combination of publicly available and custom tools. Even the publicly available DarkComet was delivered using a custom dropper, which indicates the attackers have development capabilities or have access to developers who can produce this malware for them," Villeneuve says. And the tools were unlike any seen before used by attackers linked to the Syrian conflict, he says.

Offensively, the well-oiled operation targeting the Syrian government opposition forces and efforts was thorough and successful in gathering some valuable intelligence about the opposition forces' plans to attack Assad's forces, as well as personal information on Syrian refugees in Turkey and other nations, and media and communications operations. But when it came to protecting the information they stole, the attackers fell sadly short; the researchers found the stolen information on an FTP server sitting wide open on the Internet, without any credentials required to access it.

FireEye researchers had traced a malware sample to a specific command-and-control server, where they then discovered the FTP server hosting the stolen documents, plus the phony anti-regime website on the C&C server.

"It's interesting to look at their capabilities in terms of their ability to attack their targets--their skill levels in social engineering resources, and for tools. They have done a pretty good job on the attacking side. But on the defending side, they are certainly not as strong," Villeneuve says. "It shows you can be good at offense, but not on defense," he says.

The lack of sophistication when it comes to protecting their stolen booty is a common theme among "second-tier" attackers like this, says Rick Howard, CSO of Palo Alto Networks. "This has been my experience with the second-tier guys--not the government [nation-state] folks. They're pretty good hackers, but not security defenders," Howard says. And many cyber espionage groups out of China don't care about getting caught, either, he says.

Even so, the attacks are yet more evidence of the growing trend of rogue nations' interior ministries incorporating cyber counter-intelligence into their arsenal, says Tom Kellermann, chief cybersecurity officer at Trend Micro. "They have benefited from the military alliance with the Russians, which has bestowed technological capability to enhance traditional tradecraft."

As for the MO of the pro-Assad government attackers, Kellermann says it's not really surprising.  "We had to have expected this type of dramatic evolution" of old-school "pillow talk," he says. "This attack is not as elegant" as that of a sophisticated nation-state, he says, but it reflects an evolution of rogue states and terrorist groups waging more than just propaganda attacks or money-laundering.

The hacking operation against the Syrian rebels went silent last year after FireEye first reported the rogue server to the German service provider hosting it. "We haven't been able to pick up their trail again," Villeneuve says.

An expert on cyber attacks against opposition groups and the media in Syria and Libya who co-authored the FireEye report says the attackers were careful to pick high-profile members of the Syrian government opposition, but they also caught others in their net, thanks to the common practice of computer-sharing via satellite in Syria, due to limited Internet access. John-Scott Railton, a research fellow with Citizen Lab at the University of Toronto, says the opposition leaders rely heavily on Skype for their communications. "The number of people of interest [the attackers breached] is pretty high. They got lucky in some cases, by targeting one person who was sharing a computer with others," Railton says.

Skype for some time has been a popular attack vector against Syrian government opponents. Two years ago, Malwarebytes published a report detailing how attackers employed a compromised Skype account that lured victims to a "video" link about anti-government issues that ultimately downloaded a remote access Trojan, including BlackShades and DarkComet. The Syrian rebels themselves also have been known to employ RATs, according to Malwarebytes.

Meanwhile, FireEye stopped short of attributing the attacks to the Syrian government or any sympathetic groups or nations. But there was a definite Lebanon connection, notes Railton. "It suggests a familiarity with Lebanese contacts and contracts," he says of the references they found.

The researchers spotted a user in Lebanon uploading what appeared to be test versions of the YABROD downloader and CABLECAR malware launcher used in the attacks. There also are several references to Lebanon by the phony female Skype connections, plus a reference to a training course for pro-Assad recruits that use the same types of tactics as those used in the attacks on the Syrian rebels. The references to Lebanon could well be false flags aimed at hiding the real attackers and their origins, however.

"Unlike other threat activity that we have profiled, this is not just cyber espionage aimed at achieving an information edge or a strategic goal. Rather, this activity, which takes place in the heat of a conflict, provides actionable military intelligence for an immediate battlefield advantage. It provides the type of insight that can thwart a vital supply route, reveal a planned ambush, and identify and track key individuals," the report says.

Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Kelly Jackson Higgins
50%
50%
Kelly Jackson Higgins,
User Rank: Strategist
2/4/2015 | 8:55:03 AM
Re: Anonymity
The psychological angle here is interesting to consider, too, isn't it? Even though cyberattacks seem sort of mechanical, there are people behind them, so psychology is a part of the equation. 
RyanSepe
50%
50%
RyanSepe,
User Rank: Ninja
2/4/2015 | 8:27:49 AM
Re: Anonymity
@Kelly Jackson Higgins. I would definitely agree. A false flag seems highly probable when launching this type of data exfiltration technique. That and to your other point I would say if the previous statement is not the case then most likely they didn't care what happened to the data after they acquired it. Either it already served its purpose or there was some alterior motive.
Kelly Jackson Higgins
50%
50%
Kelly Jackson Higgins,
User Rank: Strategist
2/3/2015 | 3:58:31 PM
Re: Anonymity
Yep, @Marilyn! Plus I am a little skeptical of all of the Lebanon references...could be a false flag. OR they didn't care about attribution, either. 
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
2/3/2015 | 3:56:19 PM
Re: Anonymity
Or they wanted someone to know that they were there ...
Kelly Jackson Higgins
50%
50%
Kelly Jackson Higgins,
User Rank: Strategist
2/3/2015 | 3:42:27 PM
Re: Anonymity
True that, @RyanSepe. And what also was interesting was how the attackers didn't bother to lock down the stolen data--FireEye's researchers were able to see/grab it from the FTP server, which wasn't credentials-protected. They either didn't know or didn't care if anyone found it. 
RyanSepe
50%
50%
RyanSepe,
User Rank: Ninja
2/3/2015 | 3:40:41 PM
Anonymity
These types of instances prove that you never truly know who is on the other side of cyber space. But I would say its a safe assumption that security best practices were not employed here.
Why Cyber-Risk Is a C-Suite Issue
Marc Wilczek, Digital Strategist & CIO Advisor,  11/12/2019
Unreasonable Security Best Practices vs. Good Risk Management
Jack Freund, Director, Risk Science at RiskLens,  11/13/2019
Breaches Are Inevitable, So Embrace the Chaos
Ariel Zeitlin, Chief Technology Officer & Co-Founder, Guardicore,  11/13/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Navigating the Deluge of Security Data
In this Tech Digest, Dark Reading shares the experiences of some top security practitioners as they navigate volumes of security data. We examine some examples of how enterprises can cull this data to find the clues they need.
Flash Poll
Rethinking Enterprise Data Defense
Rethinking Enterprise Data Defense
Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industrys conventional wisdom. Heres a look at what theyre thinking about.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2011-2916
PUBLISHED: 2019-11-15
qtnx 0.9 stores non-custom SSH keys in a world-readable configuration file. If a user has a world-readable or world-executable home directory, another local system user could obtain the private key used to connect to remote NX sessions.
CVE-2019-12757
PUBLISHED: 2019-11-15
Symantec Endpoint Protection (SEP), prior to 14.2 RU2 & 12.1 RU6 MP10 and Symantec Endpoint Protection Small Business Edition (SEP SBE) prior to 12.1 RU6 MP10d (12.1.7510.7002), may be susceptible to a privilege escalation vulnerability, which is a type of issue whereby an attacker may attempt t...
CVE-2019-12758
PUBLISHED: 2019-11-15
Symantec Endpoint Protection, prior to 14.2 RU2, may be susceptible to an unsigned code execution vulnerability, which may allow an individual to execute code without a resident proper digital signature.
CVE-2019-12759
PUBLISHED: 2019-11-15
Symantec Endpoint Protection Manager (SEPM) and Symantec Mail Security for MS Exchange (SMSMSE), prior to versions 14.2 RU2 and 7.5.x respectively, may be susceptible to a privilege escalation vulnerability, which is a type of issue whereby an attacker may attempt to compromise the software applicat...
CVE-2019-18372
PUBLISHED: 2019-11-15
Symantec Endpoint Protection, prior to 14.2 RU2, may be susceptible to a privilege escalation vulnerability, which is a type of issue whereby an attacker may attempt to compromise the software application to gain elevated access to resources that are normally protected from an application or user.