Abu Dhabi, UAESaturday 25 January 2020

How ‘honey trap’ hackers stole Syrian rebel war plans

US cybersecurity firm FireEye says hackers sent members of the Syrian opposition photos – purportedly of themselves – loaded with malware that stole information from the rebels' computers.
Syrian rebels hunt for snipers after attacking the municipality building in the city centre of Selehattin, near Aleppo, on July 23, 2012. Bulent Kilic/AFP Photo
Syrian rebels hunt for snipers after attacking the municipality building in the city centre of Selehattin, near Aleppo, on July 23, 2012. Bulent Kilic/AFP Photo

BEIRUT // Hackers targeted Syrian opposition members with online “honey traps,” posing as female supporters to steal battle plans and the identity of defectors.

A report released on Monday by US cybersecurity firm FireEye describes how the hacking operations in late 2013 and early 2014 targeted Syrian opposition fighters, media activists and humanitarian aid workers.

The company said it was unclear whether the information had been passed onto the Syrian government, and who the hackers were.

But the hacked material included a detailed opposition military plan to recapture the town of Khirbet Ghazaleh, strategically located in southern Daraa province, in 2013.

“The hackers stole a cache of critical documents and Skype conversations revealing the Syrian opposition’s strategy, tactical battle plans, supply needs, and troves of personal information and chat sessions,” the report said.

The hacking provided “actionable military intelligence for an immediate battlefield advantage” in the case of the planned Khirbet Ghazaleh attack, capturing “the type of insight that can thwart a vital supply route, reveal a planned ambush and identify and track key individuals.”

Despite the high-tech tools used in the attack, the hackers also relied on a well-worn tactic: the “honey trap.”

Targets were contacted on the online phone and chat service Skype by hackers posing as pro-opposition women.

They would ask the target whether they were on a smartphone or computer, apparently in a bid to tailor their attacks.

Then the hackers would send the target a photo of themselves loaded with malware that penetrated their personal files and stole information.

The method was particularly fruitful because Syrian opposition members were often sharing computers, meaning one machine yielded information from multiple victims.

Most of the data stolen was created between May 2013 and December 2013, but some of the stolen Skype chat logs went back to 2012 and others included information from as recently as January 2014.

The hackers also used other tactics, including creating fake social media accounts and Syrian opposition websites that encouraged visitors to click on links that would infect their computers.

In May 2013, regime troops stormed Khirbet Ghazaleh which was rebel-held at the time and being used to block the road between Damascus and Daraa.

The report was unable to identify where the hackers were based, or who they might have reported to.

But it noted that the hackers’ servers were based outside of Syria and they used tools and tactics that were different from other Syrian hackers.

Syria’s conflict has involved other documented cases of cyberwarfare, by both pro-regime and opposition activists.

Some of the most high-profile include attacks by the so-called Syrian Electronic Army, a group of pro-government hackers who have attacked websites and social media accounts belonging to media outlets and politicians.

* Agence France-Presse

Updated: February 2, 2015 04:00 AM