Back in the pre-digital era the femme fatales working for shadowy spymasters actually had to apply themselves in bed, or come very close to doing so. Catherine de Medici in the 16th century operated a “Flying Squadron” of beautiful female spies recruited for their skills teasing secrets from lovers at court. And the Germans had seductress Mata Hari in the First World War. Nowadays there’s no need for such carnal performances—digital spooks can just set up a dating site or direct seemingly sympathetic women to flirt online via Skype chat. Forget pillow talk, the spyware they can insert in a victim’s computer will give them the full monty.
And that, according to a study released by cyber-threat company FireEye, is just one of the methods President Bashar al Assad’s mainly Russian-trained intelligence services have brought to the digital frontlines of the Syrian civil war. Virtual femme fatales are managing to secure battle plans and opposition strategies, actionable military intelligence and scores of documents offering Assad’s officers valuable insight into the opposition’s operations.
Since the start of the Syrian uprising in 2011, pro-Assad hackers have been targeting opponents using increasingly sophisticated malware and social media manipulation to trick rebel commanders and fighters as well as opposition politica figures into giving them access to their computers and smart-phones.
Less sophisticated attacks have involved the sending out of mass emails urging recipients to click on a link to see the latest video showing the brutal tactics of the Syrian army or Assad loyalists. Clicking on the link leads, in fact, to the installation of malware allowing pro-Assad hackers to log keystrokes and to snatch screenshots of the target’s computer, which is effectively put under their control.
Other techniques have included hijacking email accounts of opponents to send out phishing messages to their comrades promising urgent information on the movements of government troops. Many Western journalists covering the Syrian conflict have suffered from these so-called phishing expeditions and regularly send alerts to each other warning of new malware techniques.
But according to FireEye, a San Francisco-based company that advises corporations and governments on cyber threats, pro-Assad hackers also set up a matchmaking site—the company doesn’t give the name—populating it with women’s profiles indicating their age, location and interests, as well as other personal information.
From there, the serious online seduction began. Cyber spooks groomed insurgent commanders, political activists and even aid workers on Skype, ensnaring them in “conversations with seemingly sympathetic and attractive women,” according to FireEye researchers.
During those online exchanges, the women offered personal (malware-laden) photos. Once they were downloaded, Assad’s spooks could rifle through files, select data to copy, and follow up on the target’s Skype chat logs and contacts for more phishing expeditions. The women usually asked their targets whether they were using a smart-phone or computer before launching a tailored malware based on the remote-access software called DarkComet.
Researcher Nart Villeneuve says FireEye is unable to identify precisely who is behind the tailored attacks, but adds: “We know that they used social media to infiltrate victims’ machines and steal military information that would provide an advantage to President Assad’s forces on the battlefield.”
The cyber threat company has focused its investigation on a series of attacks mounted between November 2013 and January 2014. The interest of researchers was piqued when they came across a cache of stolen rebel battle plans in mid-2013 for an operation to capture the town of Khirbet Ghazaleh near the city of Daraa. Among the stolen material were satellite images and maps, the timing of raids and lists of weapons and equipment to be used.
“Between at least November 2013 and January 2014, the hackers stole a cache of critical documents and Skype conversations revealing the Syrian opposition’s strategy, tactical battle plans, supply needs, and troves of personal information and chat sessions belonging to the men fighting against Syrian President Bashar al-Assad’s forces,” FireEye concludes. In total, it said, 7.7GB of data had been stolen, including more than 240,000 messages, 31,000 conversations and 64 separate Skype account databases.
The researchers say the hackers were able to “acquire large collections of data by breaching only a relatively small number of systems due to the opposition’s use of shared computers for satellite-based Internet access.”
Individuals targeted by the hackers included members of the Western-backed Free Syrian Army and fighters with Islamist brigades. The victims of the attacks were based in rebel-held areas in northern Syria but also elsewhere in Lebanon, Jordan and the Gulf. Media activists and humanitarian workers also were targeted.
The FireEye researchers say the attacks they have investigated were not only aimed at seeking an information or propaganda edge but were taking place “in the heat of a conflict” and were providing “actionable military intelligence for an immediate battlefield advantage.” The information being grabbed could “thwart a vital supply route, reveal a planned ambush, and identify and track key individuals. This intelligence likely serves a critical role in the adversary’s operational plans and tactical decisions.”
The extent to which these stratagems may have targeted ISIS, and with what success, is not clear, since a certain amount of cooperation is required for FireEye to get its data, and that’s not likely to be forthcoming from the so-called Islamic State.
Other cyber-threat organizations and security analysts have noted in the past the adept use of the Internet by pro-Assad hackers. As early as 2011 the U.S.-based Electronic Frontier Foundation, a non-profit, warned Assad’s opponents of cyber dangers from the Syrian Electronic Army, a cabal of pro-government hackers. But those hackers were more focused on propaganda and waging an information war. They took-over the Facebook pages of French and U.S. presidents Nicolas Sarkozy and Barack Obama, flooding them with comments like “we love Bashar al-Assad” and “I live in Syria, stop lying, nothing is happening in Syria”. They also sought— and still do— to disrupt and disable pro-opposition websites.
The activities of the hacker group that FireEye unearthed are more espionage-focused, using a greater range of malware that has been customized and developed to be more insidious. And unlike previous hacking, the primary command and control servers being used are not located in Syria, suggesting the hackers are either based outside the war-torn country or the kind of servers needed for the espionage are not available for them inside Syria.
In 2012 there were media reports of a three-day training course organized by Syrian intelligence in Lebanon for pro-Assad Internet activists, some of whom were Lebanese members of Hezbollah groups. A leaked manual described the use of methods that were “eerily similar” to those being employed now, including the use of femme fatales to entrap opposition members and fighters on Facebook and Skype.