Quantum of Surveillance: Familiar Actors and Possible False Flags in Syrian Malware Campaigns

December 23, 2013

Tagged: , ,

Categories: John Scott-Railton, Morgan Marquis-Boire, Reports and Briefings

Download PDF version

High profile hacking by Syrian Electronic Army (SEA) against Western media outlets has put the digital angle of the Syrian Civil War on the map.  Yet, further from the public eye, another campaign has been taking place.  For more than 2 years the Syrian opposition has been targeted with a range of electronic attacks aimed at stealing secrets, and frustrating their objectives.   Many targets are dissidents or fighters,  but others are humanitarians, journalists, and others touched by the conflict.  Unlike the high profile defacements of the SEA, these compromises are rarely publicized by the attackers, although the malware has sometimes attracted considerable attention by security researchers and activists.

The fight in cyberspace often mirrors the geopolitics of Syria’s civil war.  For example, malware attacks appear to have gone quiet in the period when a military intervention seemed imminent, only to pick up when the possibility seemed to fade.  Similarly, just as news from Syria can be murky and distorted with misinformation, false flag malware is showing up online, too.

The latest iterations of these campaigns are tracked in a White Paper released jointly by Citizen Lab, Munk School of Global Affairs, University of Toronto and the Electronic Frontier Foundation (EFF) by Morgan Marquis-Boire (Security Researcher, Citizen Lab), John Scott-Railton (Research Fellow, Citizen Lab), and Eva Galperin (Global Policy Analyst, EFF).   The report builds on extensive previous research and writings by EFF and Citizen Lab to update what we know about malware campaigns targeting the Syrian opposition.

Highlights include:

  • New malware attacks using Skype, Gmail, Dropbox, and Facebook

    • Updates on social engineering practices

  • The use of njRAT attacks in Syria, the first time it has been publicly reported in this conflict

  • A Potential False Flag malware attack with a Mac OS X Trojan (First identified by researchers at Intego)

  • Intriguing clues about the identity and practices of one of the malware creators


The report, published as a collaboration between Citizen Lab and EFF, is available as on EFF’s website.

You can read the Wired article about the paper here.


One Comment

  1. Andy
    Posted December 23, 2013 at 11:18 pm | Permalink

    Reading these sorts of reports, I have many times gotten the idea that there should be a way in most OSes to disable support for a file providing its own icon, as well as making the opening of .exe files more conspicuous.

    I see why the opportunity to change icons was implemented–it’s much easier to find Word on the desktop by looking for a “W” icon than if all .exe files were forced to use a generic “exe” icon. But a way to “de-implement” this feature would virtually eliminate these sorts of “social engineering” attacks, and human rights orgs may well think it’s worth the trade-off. It would of course be easy to do in an open-source OS like Linux (if Linux even has this problem to begin with!…) but I don’t know about Windows and OS X.

Post a Comment

Your email is never shared. Required fields are marked *