How Syrian rebel fighters fell for 'honey trap' hackers

Syrian pro-government hackers stole critical information from Syrian opposition forces using a time-honored trick, according to a new report. Will the future of cyber warfare rely on Mata Hari hackers?

Khalil Ashawi/Reuters/File
Fighters from the Suqour al-Sham Brigade, which is part of the Free Syrian Army, take cover from snipers behind a tank during what activists said were clashes with forces of Syria's President Bashar al-Assad in western Idlib on Jan. 30. Less visible are the battles raging online, where both sides have taken to push their messages to the public and glean critical information about each other.

The scene is something out of a hacker flick: Unsuspecting victim divulges key information while chatting online with a beautiful woman, who turns out to be the enemy in disguise.

That’s exactly how it played out for rebel fighters in the midst of the Syrian civil war, according to a report released this month by FireEye, a California-based computer security firm. Between at least November 2013 and January 2014, the report found, pro-government hackers stole hundreds of documents and thousands of Skype conversations containing battle plans, supply route details, and personal information from opposition forces in and around Syria.

Their method: the old 'honey trap' ruse.

A hacker, using a fake Skype or Facebook profile, would strike up a conversation with a target and invite him to swap photos. The hacker’s photo, invariably that of an attractive woman, would contain malware that once downloaded by the target would copy chat logs, tactical strategies, and contact details from the target’s device, according to FireEye's research.

Like bees to honey, young Syrian fighters chatted up these hackers, unwittingly giving up valuable personal and military information.

The report is the latest indication that Syria’s four-year-long conflict is being fought as furiously online as it is on the ground. It also paints a picture of the future of cyber warfare.

Since the war broke out in 2011 between President Bashar al-Assad’s government and opposition forces, both sides have engaged in cyber attacks. In some cases, it was propaganda: The pro-Assad group Syrian Electronic Army has repeatedly struck Western media outlets critical of Mr. Assad and his regime, and pushed pro-government messages on social media.

Other cyber attacks were more sophisticated. A National Security Agency document dated June 2010 – part of the stockpile taken by former NSA employee Edward Snowden – describes how the agency intercepted and placed electronic “beacon implants” into a shipment of computers and other devices bound for Syria, according to The New York Times.  

“To the delight of American intelligence agencies, they soon discovered they had access to the country’s cellphone network – enabling American officials to figure out who was calling whom, and from where,” the Times reported.

The identities of the hackers behind the operation that FireEye discovered remain a mystery. But the firm’s representatives said that research revealed multiple references to Lebanon.

“While we cannot positively identify who is behind these attacks, we know that they used social media to infiltrate victims’ machines and steal military information,” Nart Villeneuve, senior threat intelligence researcher at FireEye, said in a statement.

“In the course of our threat research, we found the activity focused on the Syrian opposition that shows another innovative way threat groups have found to gain the advantage they seek,” he wrote.

The nature of cyber warfare is evolving,  but just how imminently lethal it may become is open to debate. A Pew Research Center study that canvassed more than 1,000 technology and security experts saw a 60-40 split in the number of respondents who believed a major cyber attack causing widespread harm would occur by 2025.

The majority who predicted a big attack said that not only is security a secondary concern in most Internet application designs, but cyber battles are already happening.

“The US government’s series of cyber attacks on citizens, economic entities, and governments around the world has already done this,” Judith Perrolle, a professor at Northeastern University in Boston, told Pew. “People have died from faulty equipment producing gas pipeline explosions and from drone bombings of civilians. US companies have lost billions worth of business as foreign customers no longer trust their products and services.”

“Our current systems are incredibly vulnerable, by design," she added.

Others were more optimistic, saying that steady progress in security fixes and the threat of retaliation would both work to keep the balance.

“Obviously there will be some theft and perhaps someone can exaggerate it to claim tens of billions in losses,” principal Microsoft researcher Jonathan Grudin said, “but I don’t expect anything dramatic and certainly don’t want to live in fear of it.”

You've read  of  free articles. Subscribe to continue.

Dear Reader,

About a year ago, I happened upon this statement about the Monitor in the Harvard Business Review – under the charming heading of “do things that don’t interest you”:

“Many things that end up” being meaningful, writes social scientist Joseph Grenny, “have come from conference workshops, articles, or online videos that began as a chore and ended with an insight. My work in Kenya, for example, was heavily influenced by a Christian Science Monitor article I had forced myself to read 10 years earlier. Sometimes, we call things ‘boring’ simply because they lie outside the box we are currently in.”

If you were to come up with a punchline to a joke about the Monitor, that would probably be it. We’re seen as being global, fair, insightful, and perhaps a bit too earnest. We’re the bran muffin of journalism.

But you know what? We change lives. And I’m going to argue that we change lives precisely because we force open that too-small box that most human beings think they live in.

The Monitor is a peculiar little publication that’s hard for the world to figure out. We’re run by a church, but we’re not only for church members and we’re not about converting people. We’re known as being fair even as the world becomes as polarized as at any time since the newspaper’s founding in 1908.

We have a mission beyond circulation, we want to bridge divides. We’re about kicking down the door of thought everywhere and saying, “You are bigger and more capable than you realize. And we can prove it.”

If you’re looking for bran muffin journalism, you can subscribe to the Monitor for $15. You’ll get the Monitor Weekly magazine, the Monitor Daily email, and unlimited access to CSMonitor.com.