Honey-trap cyber spies stole Syrian rebel plans

Thousands of sensitive military and political files were stolen when opposition fighters were tricked into downloading spy programs by hackers posing as attractive women

By Ben Farmer 02 February 2015 • 6:26pm

Hackers from the Syrian Electronic Army posted this message from Le Monde's Twitter acount — Cyber attacks have become a common part of the conflict in Syria and other wars around the world. The Syrian Electronic Army, pro-Assad hackers, have carried out high profile attacks on media organisations.

Hackers posing as beautiful women stole a trove of detailed battle plans from rebel groups fighting the Syrian government, a cyber security group has said.

The cyber honey trap saw opposition fighters tricked into downloading spy programs on to their laptops or smartphones when they believed they were sharing personal photos, or looking for wives.

The sting saw a cache of detailed military documents and sensitive Skype conversations stolen over a two-month period by the unidentified group of hackers.

Information carried off included details of the Syrian opposition’s strategy, tactical battle plans, supply needs, and large amounts of personal information and online chat sessions.

FireEye, a US-based cyber security firm, said it had come across the stolen files while investigating cyber crime gangs. It is unclear who the hackers were working for, but the victims included fighters, media activists and humanitarian aid workers. Those tricked included rebels from the Free Syrian Army, as well as Islamist fighting groups.

Researchers said the find illustrated the key role cyber warfare was playing in the Syrian conflict and other wars around the world. It also showed that the age-old honey trap ruse remained effective even in an age of high tech espionage.

The firm found hackers had created fake Skype accounts with profile photos of beautiful women to target Syrian opposition groups, as well as setting up a fake opposition website seeded with spy programs.

The hackers contacted their victims and after gentle flirtation asked them to share photos. When the hacker’s photo arrived, it was in fact a spy program allowing the attacker to seize control of the victim’s computer.

The fake website included a matchmaking section that infected the victim’s computer when they clicked on links to women’s profiles.

^{The fake Skype accounts had profile photos of beautiful women}

Richard Turner, vice president at FireEye, said: “For as long as there’ve been secrets, there’s been espionage and as long as there’s been espionage, it’s been intertwined with sex.

“This attack used attractive women to get people to share information in order for them to be compromised. The vast majority of cyber attacks start with fairly innocuous emails to create a level of interest with a target.”

The thousands of documents stolen between late 2013 and early 2014 included a detailed battle plan for an assault on the town of Khirbet Ghazaleh, strategically located in southern Daraa province. The town had been under rebel control but was seized by regime troops in May 2013. Rebels have been unable to recapture it since.

Documents included detailed lists of rebel fighters, including names, dates of birth, blood groups and weapon serial numbers.

Military plans found in the stolen files also included rosters, annotated satellite images, orders of battle, geographic coordinates for attacks, and lists of weapons from a range of fighting groups.

The seized information provided “actionable military intelligence for an immediate battlefield advantage" for the Khirbet Ghazaleh attack, the FireEye report said.

It provided "the type of insight that can thwart a vital supply route, reveal a planned ambush and identify and track key individuals", though it was unclear if the information ever reached Bashar al Assad’s regime.

Nart Villeneuve, senior threat intelligence researcher at the firm, said: “While we cannot positively identify who is behind these attacks, we know that they used social media to infiltrate victims’ machines and steal military information that would provide an advantage to President Assad’s forces on the battlefield.”

Russia and Iran have both given significant backing to Assad’s regime and are both considered leading cyber warfare powers, but the firm said the spread of the technology meant many governments and groups could now call on high tech espionage. Several of the hackers referred to Lebanon during conversations.

A group of pro-Assad hackers called the Syrian Electronic Army has launched cyber attacks on a string of media organisations.

Opposition activists confirmed that the bloodshed on the battlefields of Syria was being shadowed by a cyber war.

Sami Saleh, an opposition activist and hacker using a pseudonym, said opposition groups had few resources to carry out attacks and spent most of their time trying to fend off spying.

He told AFP: “The cyber-war is about half the war, without exaggeration.”