A Syrian activist works in the media centre in Bab Amr hours before it was shelled. Did spyware play a part? Flickr/Freedom House. Some rights reserved.
Along with everything else today, Syria's civil war has been digitised. State-owned infrastructure allows the government of Syria to snoop on communications. Militarised spyware and targeted malware attacks against members of the opposition, activists and journalists have been at the heart of Syria's digital civil war. While the use of US online commercial services may seem like a lesser evil, political alliances may change in light of a greater one, with seriously potential consequences for Syrian opposition activists.
Snooping on communications
Most communications networks in Syria are controlled by the Syrian government. The state-owned Syrian Telecom (STE), part of the Ministry of Telecommunications and Technology, is the main regulator of telecommunications in the country. STE owns most telecommunications infrastructure in the country and it faces very limited competition with private internet service providers (ISPs). STE states on its website that it does not share individuals' data unless required to do so under certain laws and regulations.
However, it has been reported that Internet cafe operators in Syria are required to snoop on the communications of their customers and to maintain records. Such records include their customers’ names and copies of their IDs, as well logs of their internet activity. Internet cafe operators must hand over these records upon request to authorities. Furthermore, Syrian-based websites were ordered by the government in 2007 to reveal the identity of any person behind an article or comment that they published.
But the Syrian government has even more sophisticated means of monitoring communications. The Syrian Electronic Army (SEA) is an organized pro-government computer attack group that actively targets human rights activists and political oppositions. The Syrian government uses the SEA to carry out surveillance and intercept communications within the country. Moreover, the SEA is known for hacking various high-profile Twitter accounts and websites, including the Guardian and the New York Times. On 20 June 2011, Syrian President Bashar al-Assad described the SEA as a real army in virtual reality.
In addition, the Syrian government uses advanced surveillance equipment to intercept communications, some of which was bought from US companies–even though Syria is embargoed by the US. The Syrian government was using network monitoring systems purchased from US-based Blue Coat Systems, including Blue Coat SG-9000 proxies, which filter, censor and monitor internet communications at a country-scale.
In particular, Blue Coat gear is used to block proxy services used by Syrian people, such as Proxyweb, Proxify, Hidemyass and Guardster. It is also censors online content based on domain names/URLs, such as skype.com, keywords, such as “proxy” and “hotspotshield”, and IP addresses. According to researchers, such censorship also includes the heavy filtering of instant messaging and is more targeted than in China and Iran.
Targeted surveillance against Syrian human rights activists
Numerous cases of targeted surveillance and phishing campaigns targeting email accounts and social media accounts of Syrian opposition groups and activists, as well as NGO workers and journalists, have been reported since April 2011. According to a CNN report, “computer spyware is the newest weapon in the Syrian conflict”.
About four years ago, the Syrian Telecom Ministry launched a man-in-the-middle attack against the HTTPS version of the Facebook website. This attack was supported by multiple Syrian ISPs, and targeted Syrians' browser connections to Facebook. In early 2012, Syrian opposition activists were targeted with several trojans which installed spyware into their computers, as well as with phishing attacks which stole their YouTube and Facebook credentials.
In other cases, Syrian opposition activists have been tricked by pro-Syrian government hackers by sending malware over Skype disguised as PDF documents discussing the creation of the leadership council of the Syrian revolution. After opening the files, Syrian activists instead installed the DarkComet Remote Administration Tool (RAT), which can capture webcam activity, record key strokes and steal passwords, to name a few. The same trojan was also remotely installed in Syrian activists' computers in 2012 through a PDF which supposedly contained a plan to assist the city of Aleppo, where opposition had been growing. “Computer spyware is the newest weapon in the Syrian conflict”
Dissidents in Syria have been targeted with other types of surveillance technologies in addition to DarkComet RAT. In May 2012, it was reported that a Syrian activist received a file from a pro-Syrian-government hacker who had compromised the Skype account of the activist's friend, who had already been arrested. The file included a backdoor called Xtreme Remote Access Tool (RAT), infecting his computer.
And in other cases, Syrian activists have been targeted with BlackShades RAT, a malicious trojan used to control computers remotely. Similarly to previous cases, this trojan was distributed to targets via masquerading files sent through compromised Skype accounts. More recent attacks include the malicious installer of Freegate, which is capable of circumventing Virtual Private Networks (VPNs) for Windows, as well as malicious email attachments calling for jihad against Hezbollah and the Assad regime. Such cyber attacks against Syrian opposition activists have been persistent throughout the civil war.
US online commercial services: the lesser evil?
Syrian human rights activists and journalists often use commercial services such as Gmail, Facebook, Twitter, Yahoo email and WhatsApp for their communications, and this choice is no coincidence. Like most activists around the world, Syrians use these services, not only because they are easy to use and easily accessible, but also because they allow access to a broad audience. However, documents leaked by Edward Snowden revealed that such commercial services have been compromised by US and UK intelligence agencies.
Confidential documents revealed that the NSA has collected and mined data in bulk, including the content of emails, file transfers, live chats and individuals' search history directly from the servers of US companies including Microsoft, Google, Yahoo, Facebook, Apple, AOL, YouTube, Skype and PalTalk. British intelligence agency GCHQ is capable of tapping into the fibre optic cables that make up the backbone of the internet to gain direct and real time access to individuals' online activity on some of the most popular social media sites, such as Facebook, Twitter, YouTube and Blogger.
And both the NSA and GCHQ appear to have hacked into Google and Yahoo data centres. By tapping into the communications links that connect Google and Yahoo data centres around the world, both intelligence agencies are in a position to collect data from hundreds of millions of user accounts indiscriminately. Yahoo itself has been explicitly targeted by the GCHQ, which intercepted 1.8 million Yahoo webcam images within a six-month period alone. In short, whether using US-based services like Google and Facebook, or just reading the national news online, most Syrians' data end up stored in the US.
But even when Syrians do not explicitly choose to use such services, the majority of their data end up with these companies anyway. Tactical Tech's online tracking transparency tool, Trackography, shows that Google tracks 60% of Syrians' access to media websites. In addition, this tool illustrates that 86.96% of Syrian national media websites have connections which pass through the network infrastructure of both the US and the UK. In short, whether using US-based services like Google and Facebook, or just reading the national news online, most Syrians' data end up stored in the US.
When considering trade-offs, many Syrian human rights activists and journalists would rather hand over their data to the US than to their own government. As the Syrian government heavily targets the communications of political dissidents–possibly leading to very serious forms of retribution–Syrian pro-democracy activists feel that their data is safer in the servers of their government's “enemy”, who is less likely to share their data with their government.
However, alliances constantly change and those who might be viewed as a political enemy today might become a political ally tomorrow. There is no better example than the possible move from tacit cooperation to formal alliance between Assad and US President Barack Obama to fight a “greater evil”: IS. This however raises concerns with regards to the digital and physical security of Syrian opposition activists. If Assad and Obama were to join forces against IS, this will likely expand to the field of intelligence data-sharing, hardly outside the realm of possibility given Assad's recent admission that he receives information about coalition air strikes through “third parties”. Many Syrian activists and journalists use US commercial services, such as Google and Facebook, to carry out their activities.
If the US collaborates with the Syrian government to tackle IS, Assad could potentially request access to the data of Syrian opposition activists–especially if they are viewed as suspects of terrorism. In light of ISIS, the “greater evil”, Syrian opposition activists could potentially be at the frontline of abuse, unless they carry out digital security practices which could mitigate the risks.
There is no silver bullet for digital security, and perfect security does not exist. There are however various risk mitigation strategies that could be carried out based on threat models.
To circumvent mass surveillance and online tracking, the use of Tor is beneficial for starters. This anonymity software not only helps users hide their IP address, but also helps them gain access to blocked websites. In addition to Tor, the installation of HTTPS Everywhere ensures that users' connection to websites which support HTTPS is encrypted. Users can also install browser extensions which prevent third party trackers from tracking their online activity, such as Privacy Badger. And browser add-ons, such as RequestPolicy, block cross-site tracking, while others, like NoScript, block third party scripts from running on users' computers when they access websites.
Regardless of the types of services Syrians use, the use of strong passwords is always crucial. Security in-a-box provides information on how users can create and maintain secure passwords.The effective use of antiviruses and the secure use of mobile phones and smartphones, through the use of TextSecure for sending and receiving secure SMS on Android phones for example, is essential. If Syrians choose to use US online commercial services, e.g. gmail, or any other service for that matter, encrypting the content of their emails could also provide a layer of security. Security in-a-box provides a hands-on guide on how users can learn to encrypt their emails.
Given that the Assad government heavily censors instant messaging in Syria, the use of secure tools, such as OTR, which encrypt the content of messages is highly recommended. And given that many targeted malware attacks have been carried out through Skype, Syrians could also consider using other platforms, such as Jitsi, which offer encryption through the OTR protocol.
However, generally circumventing social-engineering techniques, which are commonly used by Syria's Electronic Army, is crucial. When Syrians, for example, receive email attachments, they should confirm with their sender via phone or in person–as allowed–especially if it has a politically motivated title.
More tools and tactics for digital security can be found through Security in-a-box's hands-on guide. Installing such software and learning to use encryption might sound like a daunting task but, given the Syria's civil war's digitisation through the militarised spyware, it's definitely a one worth considering.
The use of digital security tools is not just a crucial lesson for Syrian human rights activists and journalists. Digital security is good practice in general, because privacy and anonymity can protect us from abuse by those in power.
Like us on Facebook to follow the latest openSecurity articles, and tell the editors what we should publish next.
Get our weekly email
CommentsWe encourage anyone to comment, please consult the oD commenting guidelines if you have any questions.