Over the last four years as the Syrian uprising has grown into a full-blown civil war, a sinister parallel conflict has been fought out in cyberspace, with combatants wielding bytes and software rather than guns as they have battled for supremacy on Syria’s internet frontline.
But the consequences of this secret cyber war have been real and deadly – particularly for opponents of the Assad regime who have been targeted for arrest and torture as a consequence of personal information gleaned from their email traffic.
In some cases even the military plans of crucial rebel offensives had been hacked. But the opposition has been busy too, leaking President Bashar al-Assad’s embarrassing personal correspondence and eavesdropping on government troop deployments amid much else.
As a consequence Syria’s civil war has become fertile ground for ‘hacktivists’ from both sides – egged on and in some cases assisted by governments and agencies from outside the region.
In this special investigation for People & Power, Juliana Ruhfus has been finding out why some experts believe Syria’s electronic armies have been drawing up the blueprints for all wars of the future, conflicts that transcend traditional physical boundaries but which can be just as significant as those fought with tanks and missiles.
By Juliana Ruhfus
In February 2015 cyber security company FireEye published an astounding report. “Behind the Syrian Conflict’s Digital Frontlines” analysed a massive data theft: hackers who were close to the Syrian government had stolen 32,000 skype conversations from opposition fighters and activists, spying not only on private conversations, but also on strategic discussions and even battle plans.
It was a demonstration of just how far Syria’s cyber war had evolved and in the People & Power office we decided that we needed to explore this hidden side of Syria’s conflict, a battle in which viruses and hacking techniques had become just as dangerous as guns and bullets.
These were events nobody had foreseen back in early 2011, when the Arab Spring was spreading across the region and Syrian demonstrators were peacefully demanding for President Assad to step down. At the time the internet was seen as a tool of liberation, social media was used to mobilise people for protests, and youtube was a channel through which activists distributed images and narrative to contradict the government’s official version of events.
But over the following months as the government crackdown on the protestors began and the violence became more severe, scores of activists were arrested, imprisoned and tortured. Today quite a few of them have taken refuge in Turkey, which is where we began our investigation. Media activists such Rami Jarrah from Radio ANA and the Free Syrian Army’s legal advisor, Osama Abo Zayd, told us markedly similar stories – about being arrested and tortured by security forces who wanted access to their social media accounts in order to identify other opponents of the regime. Once tracked via IP addresses, the secret offices where opposition groups gathered were raided and attendees arrested. Then the social media accounts of those individuals were broken into, leading to yet more arrests and more killing – a burgeoning cycle of violence and repression that was mushrooming out of interrelated internet sources.
It was clear that President Assad was focusing on the web as a key battleground in his fight back against his opponents. And in June 2011 he gave his encouragement to those now wielding cyber weaponry on his behalf, “Young people have an important role to play at this stage, because they have proven themselves to be an active power. There is the electronic army which has been a real army in virtual reality.”
The Syrian Electronic Army (SEA), a well-equipped group of pro-government hackers had been born. And before long, it seems it was getting some heavy weight backing. Again and again on location we heard stories – albeit difficult to verify – that Russia and Iran, both supporters of the Assad regime were training and equipping the SEA.
By late summer 2011 the cyber war had moved beyond Syria’s borders and the cyber fightback had begun, with the global hacking group Anonymous declaring war on SEA and targeting the Syrian Ministry of Defence. SEA, too, had started looking abroad and launched a series of spam attacks on US government websites and those of international news organisations such as the BBC, CNN and Al Jazeera. Th3 Pro, a pseudonymous SEA hacker, gave online interviews in which he claimed the attacks were in retaliation for foreign press hostility to the Syrian government.
In April 2013, SEA’s even managed to target the Associated Press’ twitter account and got it to briefly display a message claiming President Barack Obama had been injured in White House explosions. Within seconds $136bn had been wiped off the value of international stock markets – even though it was quickly restored once the fake story was corrected.
As this tit-for-tat exchange went on, WikiLeaks started publishing the Syria Files, a two-million-strong cache of hacked emails from Syrian political figures, ministries and companies, leaving them exposed and quite frequently embarrassed. SEA then retaliated by hacking government internet traffic in Qatar and Turkey, two countries seen to be backing the armed anti-Assad opposition. Meanwhile, the US government was helping Syrian activists smuggle communication equipment into the country and groups like Cyber Arabs and SalamaTech were getting international funding to train Syrian activists in internet security. Syria’s cyber war had truly gone global.
But if we learned one thing during the making of this film it is that real intelligence gathering takes place quietly and often stays undetected. Hackers disguise remote administration tools (RAT’s) as harmless links but once they are downloaded a person’s computer can be used to spy on them.
FireEye’s Laura Galante talked us through the way pro-Assad hackers used images of beautiful young women to befriend opposition fighters on the battlefield and eventually sent photos of themselves containing a hidden RAT called Dark Comet. Before it was detected, the ‘trojan ‘gathered material related to the battle of Khirbet Ghazaleh during which opposition forces lost crucial access to supply routes.
“What we saw stolen around that battle and the discussions around it were very granular details around the planning,” says Galante. She showed us images of google maps uploaded into the conversations with drawings on them that outlined the forthcoming battle.
“The intelligence value around this type of information is immense. If you are able to understand everything from the supplies that the other side has, its dependencies on different people, on different contributors to your supplies… then you’re really able to get a picture of what the other side looks like and use that to your advantage.”
So it was to our surprise when Jean Pierre Leseur, the creator of Dark Comet, agreed to be filmed in Paris. Leseur developed the RAT when he was in his teens and uploaded it for free to internet forums dedicated to surveillance. Since then it has been used not only by pro-Assad hackers but also by criminals and fraudsters.
He tells us that he has removed Dark Comet from his website but that it is still possible to find it online, although quite frequently in a distorted version with additional viruses added. Now, at 21 years old he says is “100 percent retired from that world.”
“I decided to distance myself because for me it’s a world that became dangerous. We have to be careful what we develop, we can not foresee that people will use it in the way we envisioned it.” Leseur said he found out from a newspaper link that pro-Assad hackers had used Dark Comet against activists. Today his company offers solutions to help avoid being the victim of ‘malware’.
This year has seen yet new developments that mirror the battlefield changes in Syria on the ground. In February, Anonymous issued a fresh declaration of cyber war – against the self-proclaimed Islamic State of Iraq and the Levant (ISIL); closing down dozens of the group’s twitter and facebook accounts to stop them from recruiting new members.
Two months later, TV5 Monde, France’s international broadcaster was hacked and screens switched to display messages from a ‘cyber caliphate’ in retaliation for the French army’s involvement in Syria and Iraq. It seemed at first that an ISIL-linked group was targeting the station but in a final twist investigators found that the hacks appeared to originate in Russia and were carried out by a Kremlin-linked group, very possibly in support of the Syrian government.
Thousands of attacks take place around the world each day. For now most are aimed at commercial targets but the Syrian conflict is a likely blueprint for the way future wars will be played out.