Syria's cyberwars: using social media against dissent

Even so, social networks and blogs in Syria have not had quite the same impact they have had in Iran and Egypt, according to Baiazy. The Internet is "still accessible by a relatively small portion of the Syrian population, and it is still limited to the elite,” he writes. Just 16.4 percent of the Syrian population has Internet access, compared with 47 percent in Iran.

With Syrian activists being detained in large numbers, there are concerns that at least some portion of those are being identified by government-sponsored hackers, says Eva Galperin, with Electronic Frontier Foundation, an Internet rights group.

Human Rights Watch has identified some 20 different torture centers in Syria. So the potential consequences for someone whose computer becomes "infected by malware written by someone in the employ of Syrian security forces are dire," Ms. Galperin says. 

"It's clear that the Assad regime has learned lessons from Libya, Tunisia, and Egypt, and that's why they are pursuing this tactic," she says. "Using malware to infiltrate individuals' computers is a characteristic of the Syrian conflict that's not been widely seen in other Arab Spring uprisings."

To watch dissidents’ activities online, the Assad government has deployed Branch 225, the secret Syrian communications security department in charge of Internet monitoring, according to both Baiazy's study and Mr. Zaluski. As part of that effort, Syria last year purchased millions of dollars of Internet filtering equipment – much of it made in the United States and Europe – to track communications to Facebook and other sites. 

But all that high-tech equipment has proved increasingly less effective since Facebook, Twitter, YouTube, Google and others began encrypting by default communications between their sites and users' computers, Galperin and other experts say. 

As a result, Syria's government is resorting to state-supported actors who are launching attacks that take over online accounts without the user knowing it. In other cases it's meant forging fake Facebook pages to steal activists’ passwords. Security forces have also used torture against captured opponents to obtain the passwords to their Facebook and e-mail accounts, Baiazy reports. 

Amid this turmoil, the Syrian Electronic Army, a hacker militia loyal to the Assad regime, has come to the fore. It is this latter group that infiltrates opposition computers directly that's apparently moving hard after activists' identities by taking spyware available on the Internet and customizing it to be invisible to anti-virus security. 

"What we've seen in Syria is a campaign targeting activists with surveillance malware," says Morgan Marquis-Boire, a cybersecurity researcher with Citizen Lab, a Toronto-based computer security think tank.

His research, which has involved analyzing malware captured on the hard drives of Syrian activists, has identified 16 separate types of malicious software. All of those have at their core the purpose of delivering into the computer another nasty piece of malware called a "remote access trojan" or RAT. Once activated, the RAT sends information to computers located within Syria's telecom service.

Several RATs are being used. One in particular, called DarkComet, is frequently delivered by a compromised Skype account belonging to a trusted friend, Mr. Marquis-Boire says. In that way many are infected.

Once established, DarkComet gives control of the machine to the hacker  who can then order the computer to record keystrokes, capture passwords, or activate the machine's webcam or microphone. Or it can send personal information and e-mail address books back to Syrian authorities.

"We have found that Facebook and other forums that carry the comments of pro-Syria liberation groups frequently are seeded with videos of atrocities in Homs that also include malware," Mr. Marquis-Boire says. "It's dangerous to trust too much what you find online."

Previous

1 | 2