How Syrian rebel fighters fell for 'honey trap' hackers

Syrian pro-government hackers stole critical information from Syrian opposition forces using a time-honored trick, according to a new report. Will the future of cyber warfare rely on Mata Hari hackers?

Khalil Ashawi/Reuters/File
Fighters from the Suqour al-Sham Brigade, which is part of the Free Syrian Army, take cover from snipers behind a tank during what activists said were clashes with forces of Syria's President Bashar al-Assad in western Idlib on Jan. 30. Less visible are the battles raging online, where both sides have taken to push their messages to the public and glean critical information about each other.

The scene is something out of a hacker flick: Unsuspecting victim divulges key information while chatting online with a beautiful woman, who turns out to be the enemy in disguise.

That’s exactly how it played out for rebel fighters in the midst of the Syrian civil war, according to a report released this month by FireEye, a California-based computer security firm. Between at least November 2013 and January 2014, the report found, pro-government hackers stole hundreds of documents and thousands of Skype conversations containing battle plans, supply route details, and personal information from opposition forces in and around Syria.

Their method: the old 'honey trap' ruse.

A hacker, using a fake Skype or Facebook profile, would strike up a conversation with a target and invite him to swap photos. The hacker’s photo, invariably that of an attractive woman, would contain malware that once downloaded by the target would copy chat logs, tactical strategies, and contact details from the target’s device, according to FireEye's research.

Like bees to honey, young Syrian fighters chatted up these hackers, unwittingly giving up valuable personal and military information.

The report is the latest indication that Syria’s four-year-long conflict is being fought as furiously online as it is on the ground. It also paints a picture of the future of cyber warfare.

Since the war broke out in 2011 between President Bashar al-Assad’s government and opposition forces, both sides have engaged in cyber attacks. In some cases, it was propaganda: The pro-Assad group Syrian Electronic Army has repeatedly struck Western media outlets critical of Mr. Assad and his regime, and pushed pro-government messages on social media.

Other cyber attacks were more sophisticated. A National Security Agency document dated June 2010 – part of the stockpile taken by former NSA employee Edward Snowden – describes how the agency intercepted and placed electronic “beacon implants” into a shipment of computers and other devices bound for Syria, according to The New York Times.  

“To the delight of American intelligence agencies, they soon discovered they had access to the country’s cellphone network – enabling American officials to figure out who was calling whom, and from where,” the Times reported.

The identities of the hackers behind the operation that FireEye discovered remain a mystery. But the firm’s representatives said that research revealed multiple references to Lebanon.

“While we cannot positively identify who is behind these attacks, we know that they used social media to infiltrate victims’ machines and steal military information,” Nart Villeneuve, senior threat intelligence researcher at FireEye, said in a statement.

“In the course of our threat research, we found the activity focused on the Syrian opposition that shows another innovative way threat groups have found to gain the advantage they seek,” he wrote.

The nature of cyber warfare is evolving,  but just how imminently lethal it may become is open to debate. A Pew Research Center study that canvassed more than 1,000 technology and security experts saw a 60-40 split in the number of respondents who believed a major cyber attack causing widespread harm would occur by 2025.

The majority who predicted a big attack said that not only is security a secondary concern in most Internet application designs, but cyber battles are already happening.

“The US government’s series of cyber attacks on citizens, economic entities, and governments around the world has already done this,” Judith Perrolle, a professor at Northeastern University in Boston, told Pew. “People have died from faulty equipment producing gas pipeline explosions and from drone bombings of civilians. US companies have lost billions worth of business as foreign customers no longer trust their products and services.”

“Our current systems are incredibly vulnerable, by design," she added.

Others were more optimistic, saying that steady progress in security fixes and the threat of retaliation would both work to keep the balance.

“Obviously there will be some theft and perhaps someone can exaggerate it to claim tens of billions in losses,” principal Microsoft researcher Jonathan Grudin said, “but I don’t expect anything dramatic and certainly don’t want to live in fear of it.”

of stories this month > Get unlimited stories
You've read  of  free articles. Subscribe to continue.

Unlimited digital access $11/month.

Get unlimited Monitor journalism.