The SEA also has a Twitter account, through which posts are made in Arabic that taunt its adversaries or boast about its latest exploit. For example, on July 5, 2012, the SEA managed to take over the Twitter account of Al Jazeera’s The Stream – possibly acquiring the sign-up credentials through a previous computer breach of Al Jazeera’s servers – and then took credit for the hack on its Twitter account, @Official_SEA. For a few hours on that July day, to the bemusement of many Twitterati, they used Al Jazeera’s account to turn the broadcaster’s coverage upside down: from an independent monitor of atrocities to a mouthpiece for the Assad regime.
The Citizen Lab turned its attention to the SEA when the Arab Spring blew into the streets of Damascus in early 2011. Amidst the smoke and rubble of an increasingly violent civil war – and after the UN monitors finally reported that “crimes against humanity” were being committed by the Syrian regime — another type of warfare took shape, this one through radio waves and fibre-optic cables, and over social media platforms.
Like the Tunisians, Egyptians, and Libyans, angry Syrians opposed to the dictatorial ways of their government and looking to ignite a revolution reached instinctively for the latest tools of the digital age. The anti-Assad “Day of Rage,” announced to the world through Arabic Facebook, Twitter, and on other social media platforms in February 2011, set the tone. The Syrian protesters built on lessons learned from other digitally empowered protests, and benefited from a growing grassroots movement of technological peer support. Hacktivist groups like Telecomix and Anonymous jumped into the fray by breaking into Syrian government computers, distributing secure tools to circumvent Internet censorship, and helping expose companies that provide services to the Assad regime. In February 2012, Anonymous broke into the email server of the Syrian Ministry of Presidential Affairs and published hundreds of emails. As usual in such domestic conflicts, neighbouring states and great powers meddled in this one, too. While Russia and China stymied UN resolutions to sanction Syria, Iran’s Revolutionary Guard’s elite signals intelligence unit roamed Syrian city streets in black vans and employed sophisticated surveillance tools to triangulate the location of dissidents using insecure satellite phones. On the other side of the battle, American and British officials provided tools and training for the armed opposition in the Free Syrian Army, while the Canadian government quietly used its diplomatic headquarters in Ankara, Turkey, to channel information to those fighting the Assad regime.
As a result of such outside support, those opposed to Assad are technologically well equipped. The latest generation mobile phones have been employed as frontline sensors, uploading atrocities for the world to witness as they occur – their shaky, hand-held videos a grim portal into the otherwise hidden spectacle of torture, suffering, and death – thus circumventing the Syrian regime’s official blackout of journalists. The Citizen Lab’s senior Middle East and North Africa – based researcher, Helmi Noman, has shared many of these these videos with our Toronto staff, translating the horrific scenes from Arabic to English so that we could understand that protesters were being buried alive at gunpoint, forced to swear allegiance to Assad while they drew their last breath; that tidy lines of corpses covered in blood-stained white sheets, some clearly children, were the victims of deliberate Syrian military attacks on the country’s own people in its own cities.
But the familiar script of digitally enabled pro-democracy activists outflanking flat-footed tyrants, which played itself out in other theatres of the Arab Spring, never fully materialized in Syria. The Assad regime adapted and evolved, taking its counter-insurgency tactics to the virtual plane. Unlike the leaderships of Egypt and Libya, who in last-ditch acts of desperation pulled the plug on the Internet, after various ham-fisted attempts at control, Syria decided instead to actually loosen its grip on cyberspace. Facebook, Blogspot, YouTube, and Twitter, perennially censored by the xenophobic regime, were suddenly made available at the very moment activists took to the streets and to their mobile phones. A conciliatory gesture perhaps? An appeasement to the protesters’ demands for more free speech and access to information? More likely the powers-that-be had a more sinister strategy in mind.
Part of that sinister strategy involves surveillance. By loosening controls over particular Internet platforms – especially those used by protesters to organize – the Syrian regime acquired unparalleled insights into its adversaries’ thoughts, plans, and actions. As the conflict unfolded, reports began to surface about a dark market in high-tech equipment – the products and services coming mostly from Western firms—used by the regime. In a series of investigative reports, Bloomberg News revealed that an Italian company, Area SpA, was installing a surveillance system that would enable the Assad regime to intercept, scan, and catalogue emails flowing through the country. The report was the tip of an iceberg.
The Citizen Lab helped uncover that routers belonging to Blue Coat Systems, an American company based in Sunnyvale, California, were widely deployed across the Internet in Syria. Our researcher Jakub Dalek discovered the Blue Coat devices by running a series of specially designed network scans, the equivalent of a digital flashlight searching through the sewers and catacombs of Syrian Internet space looking for fingerprints of specific equipment used. The Blue Coat devices could be used to filter content and monitor communications in fine-grained detail. Under U.S. sanctions against the sale of products and services to Syria – designated a “state sponsor of terror” by the American government – any business relationship between Blue Coat and Syria was illegal.
The European hacker collective Telecomix was on the same trail as the Citizen Lab, and published reams of unfiltered data they had collected about Blue Coat. Our report was released a few days later, on November 9, 2011, and both reports led to a firestorm, including calls for a U.S. Congressional investigation into Blue Coat. The company later acknowledged the presence of their devices in Syria, but said they were shipped to the country fraudulently and without their knowledge, a dubious claim. As Blue Coat’s primary function is to monitor Internet traffic, and their devices only function properly when checking in to get updates from central Blue Coat servers, such a claim was too far-fetched to be credible. These and other revelations of high-tech surveillance equipment being imported into Syria underscored the other side of a regime that once attempted to control the Internet through censorship: targeted surveillance is far more effective.
Just as the Citizen Lab was preparing its Blue Coat report, we stumbled upon a number of Syrian government websites that were hosted on Canadian servers, including the state-backed television station, Addounia TV, that had been placed on an official sanctions list by Canada and the European Union for incitement of violence. The content being streamed online by Addounia TV claimed that the atrocities captured on film by Syrian protesters were fabrications, and it encouraged Syrians who supported Assad to take to the streets and fight back. In a bizarre twist Addounia was hosted on computers located in Montreal, and we also found that the website of Al-Manar, the media wing of the Lebanese militant group Hezbollah, was hosted on the same Montreal-based servers, again in violation of Canadian sanctions. Reflecting on the role media have played in inciting genocide in places like Rwanda, we decided to publish our findings immediately. Called The Canadian Connection: An Investigation of Syrian Government and Hezbullah Web Hosting in Canada, our report no doubt caused a few red faces in Foreign Affairs and International Trade Canada, but it also underscored the complexity and difficulty of imposing effective international sanctions over cyberspace activities. Nonetheless, believing that web hosting constituted “material support” for the Syrian regime and Hezbollah, we chose to act swiftly.
• • •
High-tech surveillance equipment in Syria and Syrian government web hosting in Canada were only part of the story of Syria’s metamorphosis from an Internet-phobic regime to one that embraces technology in the service of armed struggle and civil repression. The SEA’S first forays into cyber war may have been
amateurish – it defaced websites, the online equivalent of graffiti; spammed the comments sections of online forums and newspapers, the actions of a pest more than a menacing army; and targeted websites and forums that appeared to have no relation whatsoever to Syria (the website of an obscure town council in Britain, Harvard University, and so forth), juvenile acts of opportunism. Website defacements of this sort demonstrate a low level of expertise: anyone with a few hours to spare can easily Google instructions and then scan the Internet looking for low-hanging fruit, poorly patched servers waiting to be plucked and desecrated. But over time, and especially into 2012, SEA evolved, its methods becoming increasingly sophisticated.
In the spring of 2012, the Electronic Frontier Foundation started receiving reports from inside Syria of phishing attacks on Facebook, YouTube, and other social media outlets used by Syrian dissidents. The EFF found that when users clicked on links posted on the comment sections of opposition Facebook and YouTube sites, they were taken to fake websites that encouraged them to download special software, which was then used to acquire their credentials and sometimes to take over their computers. The EFF also discovered an instance of a malicious software program hidden in images circulated among Syrians in the diaspora. Although EFF could not confirm the identity of the perpetrators, they suspected that the Syrian telecommunications ministry was behind the attacks. Meanwhile, reports of authorities using force against activists and dissident Facebook users, and demanding their login information, surfaced. In one case, a user was beaten by Syrian police, who then informed him that they had been reading his “bad comments” on Facebook. After providing his password to authorities, he was imprisoned for two weeks. Upon his release, he found that somebody had logged into his Facebook account and posted pro-regime comments in his name.
Google computer security analyst Morgan Marquis-Boire and UCLA Ph.D. student John Scott-Railton were involved in the EFF’S work, and in 2012 they contacted the Citizen Lab to suggest combining research efforts with EFF’S Eva Galperin. (Marquis-Boire and Scott-Railton later joined the Citizen Lab as research fellows.) Together, our teams have uncovered one targeted attack after another on Syrian dissidents, typically engineered by commandeering someone’s computer and using that person’s Skype or email account to trick the dissident’s network of contacts into clicking on links or opening files that contained malicious trojans. Whereas prior defacement and spam attacks had the imprecision of a sledgehammer, these attacks were more like carefully calibrated pliers. Our researchers watched as the cyber raids became more persistent and sophisticated, using several commercial remote administration tools bundled and hidden in malicious software, which suggested significant knowledge of criminal hacking techniques. When the author of one of these tools, called Dark Comet, discovered through our published reports that his software was being repurposed by the SEA to trap dissidents, he was horrified, issued an apology, and announced that he would no longer maintain the software as a freely available product. This did little to slow down the SEA. Within days there were more attacks targeting Syrian dissidents, this time using a different commercial remote administration tool called Blackshades.
Although we found no smoking gun connecting these attacks directly to the Syrian government, the majority were clearly engineered by individuals connected to command-and-control computers operating on Syrian telecommunications networks registered in Damascus. A Citizen Lab contact with extensive dealings in the domain registration business gave us a likely set of names and Syrian-based cellphone numbers connected to the names and email addresses used to register the domains linked to the attacks, but we decided not to publish them for fear of endangering lives. Clearly, though, the Syrian government was either tacitly condoning or actively encouraging the SEA, a marked turning point in how an autocratic regime deals with a digitally mobilized opposition. Dictators have little to fear from technology: it can be their best friend.
Syria’s SEA is a curious hybrid. Not formally linked to the Syrian government, it nonetheless undertakes information operations in support of the regime, and does so at arm’s length so as to ensure plausible deniability. Its methods are not technically complex; indeed, they are run-of-the-mill and widely employed in the world of cyber crime, and they are attractive because they are cheap, easy to use, and often enough extremely effective. This is precisely what makes the SEA case noteworthy: the methods, tools, and tradecraft of cyber crime are being repurposed and deployed by one of the world’s most repressive states in the midst of a bloody civil war, a new model of “active defence” emerging among autocratic regimes the world over. The exploitation of cyber-crime techniques is an increasingly common state-sponsored form of military action in cyberspace, and the already percolating menace of cyber crime is morphing into a boiling cauldron of espionage, sabotage, warfare, and repression.
• • •
Among those governments using cyber-crime techniques for national military and intelligence purposes Syria may be the most recent, but it is not the first nor the most voracious. That title goes to China, whose adversaries have been the most frequently targeted, and for the longest periods of time. China has used just about all of the latest techniques of the cyber-criminal underworld for strategic intelligence, industrial espionage, and military action. Indeed, it is fair to say that China is the template for state-sponsored cyber crime.
During Ghostnet, basic Internet “social engineering” techniques – the art of fooling people into divulging confidential information – first refined by cyber criminals were used to fool recipients of emails at the Office of the Dalai Lama and Tibetan Government in Exile into opening attachments that contained a very simple piece of malicious software. Once infected, the attackers installed a more sophisticated remote administration tool on their computers, a freely available and open-source piece of software known as Ghost RAT (hence the name of the espionage network). During Shadows, the attackers borrowed from the widely deployed criminal method of splitting up and routing stolen documents from victims’ computers across redundant social networking platforms to ensure resiliency and to disguise the origins of the malicious network in case parts of their infrastructure were reported on and shut down. When members of the Foreign Correspondents’ Club of China were targeted by socially engineered emails containing malicious trojans, the infected computers connected back to Taiwan-based command-and-control servers under the control of the attackers. (The compromised servers were based at Taiwan University and were the very ones used to distribute antivirus software to staff and faculty.) When the European Parliament passed a resolution condemning China’s repression of Tibet, the text was immediately repurposed to contain a malicious piece of software and then distributed to the contact list of an exiled Tibetan whose computer was compromised by Chinese attackers. When Twitter was used as a means to raise awareness by Tibetans about an important anniversary, pro-regime hackers employed several hundred bots – automated programs that generate content – to flood Twitter discussions using the hashtags #Tibet and #Freetibet, making those hashtags unusable, a technique known as “hashtag bot-flooding” originally developed by spammers. Chinese hackers redeployed a common technique, an iFrame injection, or “drive-by” attack, in which the websites of their adversaries are hacked into and loaded with malware that targets visitors using improperly secured browsers. Over the years numerous websites of prominent human rights groups have been exposed in this manner, including Amnesty International U.K. and Human Rights in China.
In each case, many of the primary methods and tools used were not specially designed or custom built; instead, they were simply repurposed from the world of cyber crime, and many observers believe China tacitly condones and supports the vast cyber criminal underworld because it benefits from it. Looking at the evidence, it’s hard to conclude otherwise. And China is not alone. Many shadowy underground entities employ cyber-criminal methods against human rights and opposition groups in operations that benefit entrenched authorities. Russia, K
yrgyzstan, Belarus, and other states across the former Soviet Union represent good examples.
In February 2005, during parliamentary elections in Kyrgyzstan, websites belonging to political parties and independent media aligned with the opposition were subjected to unexplained technical failures, glitches, and deliberate hacking. Journalists at independent media organizations had their email accounts flooded with large volumes of spam and phony emails. Several websites were hacked and defaced, and one had its domain name deregistered because the authorities claimed it had no “legal status.” Shortly thereafter, a major DDOS attack, undertaken by a group calling itself Shadow Team, overwhelmed Kyrgyzstan’s leading ISPs. OpenNet Initiative’s Krygyzstan-based researchers obtained the extortion note sent by Shadow Team to the ISPs, which threatened to continue the attacks until specific websites connected to the political opposition were shut down. A separate threatening email was sent to a popular regional news site, http://www.centralasia.ru, demanding that it stop publishing any and all information about the situation in Kyrgyzstan. The perpetrator turned out to be a single hacker operating out of Ukraine, but whose attacking computers were physically located in the United States. The same hacker was simultaneously pursued for different reasons by U.S. security researchers, and eventually the botnet was disabled.
Based on ONI’S experiences in Kyrgyzstan, leading up to the 2006 Belarus presidential elections we assembled a group of researchers (both inside and outside the country) to monitor the Internet. Although ONI testing indicated that Belarus, like Kyrgyzstan, had no Internet censorship, the regime of President Alexander Lukashenko was (and still is) widely considered typical of Soviet-style authoritarianism: prone to silencing dissent and quelling opposition using heavy-handed methods. Indeed only a year before, Ilya Mafter, the program officer from the Open Society Institute (which had funded the ONI project) had been arrested on trumped-up money laundering charges and held in detention for several months. Before and during the presidential election, ONI documented numerous opposition websites coming under denial-of-service attacks, or made inaccessible on the state-owned Beltelecom network. During a day of major demonstrations in the capital city Minsk, when riot police intervened to disperse and arrest protesters, one of the main dial-up services for Internet connectivity in the city went dead, having experienced “technical problems.”
Black Code: Inside the Battle for Cyberspace Page 16