Syrian rebels celebrate on top of the remains of a Syrian government fighter jet in Nov. 2012. (Francisco Leong / AFP via Getty Images)
The front pages have been dominated for more than a year by photos of young Syrian rebel fighters, armed and proud, battling an increasingly isolated Syrian military.
But amid the shooting, the atrocities and the bombings, there is a parallel war — a sophisticated cyber insurgency battling a shadowy team working on behalf of the Assad regime. The Syrians’ online conflict may be the most active cyberwar in recent memory, with extraordinary efforts by both sides to sabotage, disrupt and destroy. It may even foreshadow the way cyber battles will play out in future conflicts.
On the one side, the Syrian government has been using cyber tools to track activists and expose opposition figures. An online group calling itself the Syrian Electronic Army appears to be acting as the Assad regime’s surrogates.
On the other side, the Syrian opposition has been working in an apparently loose collective. There is also Anonymous, the international online “hacktivist” group, which teamed up to hack President Bashar al-Assad’s personal emails.
The civil war has been raging on since the uprising began in March 2011, during the heady days of the Arab Spring. The Syrian regime appears to have been using cyber tools as part of their counterinsurgency tactics as far back as the beginning of 2012. One sophisticated cyber operation was run by supporters of the Syrian government after most Syrian activists and opposition figures had found ways of using secure connections to avoid surveillance.
It’s unclear who launched the effort, but opposition activists were encouraged to download what was purported to be Skype encryption software. In fact, it was a fake tool that allowed in malware. It let in a Trojan called “DarkComet,” described by the Electronic Frontier Foundation digital-rights group as “a remote administration tool that allows an attacker to capture webcam activity, disable the notification setting for certain antivirus programs, record key strokes, steal passwords and more — and sends that sensitive information to an address in Syrian IP space.”
Speaking in a secure webchat, a Syrian activist who withheld his or her name for security reasons confirmed that Skype-based malware was used to gain access to activists’ personal information.
The malware “logs and monitors dissident activity,” the activist added. “Activists were then arrested and tortured to give the government access” to their social network accounts.
After the pro-regime ploy was exposed, DarkComet’s creator terminated the program.
But malware infections continue. According to the online activist, most of the malware is not Syrian-made but has been written by Russians or other Europeans and then bought or stolen by affiliates of the Syrian regime or the SEA.
Assad has Iran’s backing, and his supporters are allegedly also using Iranian cyber tools. Alexander Klimburg, a senior adviser at the Austrian Institute for International Affairs, said it’s widely believed that the Syrians are using popular offensive software designed in Iran.
“Funnily enough, one of the hacking tools that the SEA has been thought to use (and which is very popular with Anonymous) is Iranian, the “Havij” SQL [Structured Query Language] exploitation tool,” Klimburg wrote via email.
“It’s clear that Iran’s regime has helped their ally Assad in utilizing such technologies,” said Hayat Alvi of the U.S. Naval War College. She added that the technologies used by Assad’s regime are similar to those used by Iran during the Green Revolution to track down and arrest activists and bloggers.
With the regime hitting back against activists, anti-regime Syrians have had to find alternative methods to coordinate or communicate with fellow activists or bloggers.
“Most Syrians now are communicating on less-known servers or without classic Internet,” the activist said, adding that an independent dial-up Internet connection is being used by other anti-regime activists. In addition, activists are using anonymizing techniques, such as virtual private networks or the Tor anonymity network to protect their IP addresses from Syrian cyber probes.
But anti-Assad forces have also been on the offensive — often simply defacing Syran Web pages.
The first major attack by the anti-authoritarian group Anonymous came when it hacked the Syrian Ministry of Defense’s website in August 2011. Anonymous has been a thorn in the side of governments around the world, but the group has been particularly active against Syria. On Nov. 30, Anonymous vowed to shut down all Syrian government websites hosted outside Syria, including websites for foreign embassies. According to the E Hacking News website, the Syrian Embassy of Belgium’s website was hacked, as was the Industrial Bank of Syria. Little more has been accomplished since the declaration, though.
The ultimate twist in the Syrian cyber campaigns came in late November: a complete two-day Internet blackout. For a nation’s Internet access to be shut down in this way was unprecedented. Though the Assad’s regime claimed it was a terrorist attack, Internet monitoring experts said the Syrian government had intentionally cut the connection.
The efforts on both sides are continuing. In a Dec. 3 blog post, the EFF said it had detected “two new campaigns of surveillance malware associated with the same IP address” used previously by the Syrian regime to try to trick activists.
This story appears in the January-February issue of C4ISR Journal.