WASHINGTON — To the young Syrian rebel fighter, the Skype message in early December 2013 appeared to come from a woman in Lebanon, named Iman Almasri, interested in his cause. Her picture, in a small icon alongside her name, showed a fair-skinned 20-something in a black head covering, wearing sunglasses.
They chatted online for nearly two hours, seemingly united in their opposition to the rule of Bashar al-Assad, the Syrian leader still in power after a civil war that has taken more than 200,000 lives. Eventually saying she worked “in a programing company in Beirut,” the woman asked the fighter whether he was talking from his computer or his smartphone. He sent her a photo of himself and asked for another of her in return. She sent one immediately, apologizing that it was a few years old.
“Angel like,” he responded. “You drive me crazy.”
What the fighter did not know was that buried in the code of the second photo was a particularly potent piece of malware that copied files from his computer, including tactical battle plans and troves of information about him, his friends and fellow fighters. The woman was not a friendly chat partner, but a pro-Assad hacker — the photos all appear to have been plucked from the web.
The Syrian conflict has been marked by a very active, if only sporadically visible, cyberbattle that has engulfed all sides, one that is less dramatic than the barrel bombs, snipers and chemical weapons — but perhaps just as effective. The United States had deeply penetrated the web and phone systems in Syria a year before the Arab Spring uprisings spread throughout the country. And once it began, Mr. Assad’s digital warriors have been out in force, looking for any advantage that could keep him in power.
In this case, the fighter had fallen for the oldest scam on the Internet, one that helped Mr. Assad’s allies. The chat is drawn from a new study by the intelligence-gathering division of FireEye, a computer security firm, which has delved into the hidden corners of the Syrian conflict — one in which even a low-tech fighting force has figured out a way to use cyberespionage to its advantage. FireEye researchers found a collection of chats and documents while researching malware hidden in PDF documents, which are commonly used to share letters, books or other images. That quickly took them to the servers where the stolen data was stored.
Like the hackers who the United States says were working for North Korea when they attacked Sony Pictures in November, the assailants aiding Mr. Assad’s forces in this case took steps to hide their true identities.
The report says the pro-Assad hackers stole large caches of critical documents revealing the Syrian opposition’s strategy, tactical battle plans, supply requirements and data about the forces themselves — which could be used to track them down. But it is not evident how or whether this battlefield information was used.
“You’ve got a conflict with a lot of young, male fighters who keep their contacts and their operations on phones in their back pockets,” said one senior American intelligence official who spoke on the condition of anonymity to discuss espionage matters. “And it’s clear Assad’s forces have the capability to drain all that out.”
Mr. Assad was also the victim of cyberattacks, but of a far more advanced nature.
A National Security Agency document dated June 2010, written by the agency’s chief of “Access and Target Development,” describes how the shipment of “computer network devices (servers, routers, etc.) being delivered to our targets throughout the world are intercepted” by the agency. The document, published recently by Der Spiegel, the German magazine, came from the huge trove taken by Edward J. Snowden; this one shows a photograph of N.S.A. workers slicing open a box of equipment from Cisco Systems, a major manufacturer of network equipment.
After being opened, electronic “beacon implants” were placed in the circuitry. One set of devices was “bound for the Syrian Telecommunications Establishment to be used as part of their Internet backbone,” the document reveals. To the delight of American intelligence agencies, they soon discovered they had access to the country’s cellphone network — enabling American officials to figure out who was calling whom, and from where.
Such interceptions are still highly classified; the United States government has never discussed its access to the Assad communications network. But the FireEye report, which will be released on Monday, makes it clear that such “network exploitation” is now a routine part of even the most low-tech if brutal civil wars, and available to those operating on a shoestring budget.
And that is a new development. The theft of the rebel battle plans stands in contrast to the cybervandalism carried out in recent years by the Syrian Electronic Army, which American intelligence officials suspect is actually Iranian, and has conducted strikes against targets in the United States, including the website of The New York Times. But mostly these have been denial-of-service attacks, which are annoying but not potential game-changers on the battlefield.
Exactly who conducted the hacking on behalf of Mr. Assad’s forces remains a mystery, as does whether the stolen data was ever used by the Syrian military. One of the authors of the report, Nart Villeneuve, a threat intelligence analyst for the company, said that it was likely that the hackers were based in Lebanon — which would be the only true statement in the chat with the Syrian fighter. They used a computer server in Germany, where FireEye found many of their chats in unprotected directories. A handful of the targets of the Syrian operation were contacted in recent months by FireEye researchers. “They really didn’t understand what had happened,” Mr. Villeneuve said. “They didn’t know their computers and phones had been compromised.”
But if information was forwarded to Mr. Assad’s forces, it would have provided his troops or their allies with important intelligence and a critical battlefield advantage, according to analysts and Syrian military specialists.
“This activity, which takes place in the heat of a conflict, provides actionable military intelligence for an immediate battlefield advantage,” the FireEye report concluded. “It provides the type of insight that can thwart a vital supply route, reveal a planned ambush, and identify and track key individuals.”
By mid-2013, according to the information that FireEye recovered, 10 rebel groups fighting Mr. Assad’s regime were planning a major operation intended to reclaim from Syrian government forces a key portion of territory along a strategic north-south highway linking Damascus, the capital, with Jordan.
The plans called for retaking the town of Khirbet Ghazaleh, a strategic gateway to the major city of Daraa. In May 2013, Syrian troops had seized control of the town near the highway.
“The Assad regime’s biggest vulnerabilities over the last year have been in south Syria, so disrupting that operation would be key to the regime fending off an attack on Damascus from the south — the traditional route for invading armies,” said Andrew J. Tabler, a Syria specialist at the Washington Institute for Near East Policy. Mr. Tabler said he was not aware of the stolen information.
According to FireEye, which merged last year with the Mandiant Corporation, the company that has tracked Unit 61398, the Chinese Army’s hacking operation, the rebels shared photocopied battle plans, and in red ballpoint pen added defensive embankments, storing their plans electronically as pictures taken with their cellphones. They prepared for a battle involving 700 to 800 men, who were divided into groups to launch separate attacks, including an ambush. They used Google Earth to map their defensive lines and communicate grid coordinates.
They mapped locations for reserve fighters, staging areas and support personnel; settled on a field operations area; and planned supply routes for their forces, according to FireEye. Commanders received stern instructions not to make any “individual” decisions without approval from rebel superiors.
The battle details that the security service recovered are impressive. The rebels, who are not identified, would begin the attack with 120-millimeter mortar fire, followed by an assault against key Syrian Army locations. They drew up lists of men from each unit, with names, birth dates and other identifying information. But they stored them on their phones and laptops, and they were vulnerable to slightly customized versions of commercially available malware.
“It’s the democratization of intelligence,” said Laura Galante, a former Defense Intelligence Agency analyst who now works for FireEye and oversaw the Syria work. “We in the private sector can see some of this, and adversaries can steal it in a wholesale way and understand the full picture of an operation.”
And perhaps they can even stop an operation. The retaking of Khirbet Ghazaleh never materialized, Syria analysts say. It is unclear whether Syrian authorities thwarted the plot before it could be carried out, or if the rebels aborted the plan, perhaps suspecting the hacking or for some other reason.
No comments:
Post a Comment