Cyber attacks and surveillance in Assad’s Syria: ‘They can do whatever they want, they own the infrastructure’

Dlshad Othman speaks at the UN in 2012. Photo courtesy of Eric Bridiers/Creative Commons.

Cybersecurity expert Dlshad Othman remembers a joke among Syrian activists after unrest erupted across his home country in 2011.

A security officer “stops a Syrian at a checkpoint and asks to see his Facebook,” 31-year-old Othman tells Syria Direct’s Justin Clark. “His literal, hardcopy ‘face book’.”

But jabs at the Syrian government’s cyber capabilities shouldn’t distract from a very real threat, warns Othman. Throughout the conflict, Damascus-linked cyber attacks have targeted thousands of computers, defaced websites and led to the arrests of countless activists and journalists.

And in April 2018, a new wave of government-linked cyber attacks targeted pro-opposition social media users as well. This time, the hackers injected potent malware into fake programs that mimicked legitimate applications.

“The minute you download this it will take control over your computer,” Othman tells Syria Direct. Then, the malware “can turn on your phone camera, it can extract files” from smartphones and personal computers, he adds.

Othman is one of a number of analysts and experts warning that the Syrian government—as well as other actors in and outside Syria—are building up their capabilities to monitor internet traffic and conduct cyber attacks. The results could be deadly, Othman warns.

“A lot of foreign journalists underestimated the Syrian government and ended up in jail,” Othman says.

“Or at least their sources ended up in jail.”

Othman, born in Qamishli in northeastern Syria’s Hasakah province, is a Washington DC-based security analyst and consultant who has followed the online movements of the Syrian government and rebel groups since the war began.

He left Syria in 2012, but has been working to provide technical assistance and training to activists, journalists and others working in Syria-related fields ever since. He was named an Internet Freedom Fellow by the US Department of State in 2012 for his work.

Q: We’ve heard a lot about the Syrian Electronic Army and how Damascus and their Russian allies are putting increasing effort into cyber attacks. In March, a story broke about a British doctor volunteering in Syria concerned that his hacked computer gave away the location of a Syrian hospital that was later bombed by Russian warplanes.

What is the Syrian state capable of when it comes to cyber warfare and monitoring?

Regarding the Syrian government’s technological capabilities, you have to really distinguish between targets inside the country, which are using Syrian government infrastructure; and targetswhether in Syria or notthat are not using government infrastructure.

Internet is solidly centralized in Syria, so you have users who use DSL in places like Damascus and you have other users who use 3G technology via mobile to access internet in other places. Both types of users are actually using Syrian infrastructure—infrastructure that is controlled by the Syrian government—which means the Syrian government is the man in the middle.

In these cases, the government can listen, they can collect traffic, they can censor, they can surveil, they can do whatever they want because they own the infrastructure.

The Syrian government is pretty advanced. Censorship capabilities have been in place since Syria got internet. In 2010-2011 they became more advanced and they put some smart technology such as Blue Coat firewalls and DPI boxes. These DPI boxes are smart and they help the government to censor or prevent encrypted traffic and plus carry on some more advanced surveillance.

[Ed.: Deep Packet Inspection refers to a process by which packets—bundles of data sent over the internet—are opened and their contents examined. While DPI can be used for legitimate purposes like optimizing internet traffic, some have warned that it gives internet service providers and governments the ability to spy on internet users and collect their data.]

As for people who are outside of the scope of the Syrian government’s infrastructure, we can see the Syrian Electronic Army or the Syrian Network Team coming in. These two groups are—I would not say advanced—[but] they were good, really good, when it comes to building malware, finding targets, attacking them, exploiting vulnerabilities on personal computers and tracking these users.

Now in 2014, we thought that the Syrian Electronic Army’s activities went down or stopped completely, but we were wrong. Starting last April, we start seeing new malware samples by the Syrian Electronic Army targeting Windows machines and Android phones.

The Syrian Electronic Army’s new strategy is to build fake applications that mimic real applications and inject malware inside them. It’s a new technique.

We still see that they [the attackers] have fixed Syrian IP addresses, which means it’s actually coming from the Syrian government and—I would say—groups active inside the country. These kinds of attacks are very targeted, so it’s not a mass attack like the previous Syrian Electronic Army wanted to make. It’s more advanced, targeting dissidents and high-profile opposition figures. And they are getting [their targets] in some places.

I believe that they [the Syrian government and Syrian Electronic Army] are pretty powerful. They are reorganizing themselves and coming back on a larger scale.

Q: Can you give me an example of a recent attack?

One of the recent attacks was in April 2018. They released around 10 malware samples targeting smartphones and Windows machines. We learned about it through someone who shared a link with us. This same person had a Facebook page that was compromised, so the Syria Electronic Army shared links to APK files [Android Application Files] of the malware on this Facebook page.

It was not widespread, meaning that they’re really targeting a specific group of users. If I recall correctly, the Facebook page was an East Ghouta-related news page, so it’s likely they were targeting people in besieged areas.

Q: When you think of how this kind of malware might affect someone who stayed on in an area like East Ghouta, which accepted reconciliation and is now under state control, the kind of information they give up if this malware attacks them is staggering.

The thing is, these kinds of malware are weapons. They can be weaponized, they can be used anytime.

I believe it’s obvious that Bashar al-Assad is taking over. The minute the government assumes full control [of the country], it will be time to start initiating new mass attacks against dissidents [in Syria] or in the diaspora.

Some people inside Syria are tech savvy—they know the government is watching them—so they use a VPN, they use Tor or whatever else to prevent the government from knowing what they’re doing.

[Ed.: A virtual private network (VPN) can be used to mask a user’s identity and conceal their location as they browse the internet. Tor is an internet browser that also aims to conceal a user’s identity and location.]

So, by targeting these kinds of internet users with malware, they bypass other security measures [like using a VPN, for example] because the malware is placed directly on your computer. Whatever you do on your computer is going to be watched by the malware.

The minute you download this it will take control over your computer. These apps are RAT, or remote access tool. These apps will give the attacker full access to your device. When I say full access, I mean it. It can turn on your phone camera, it can extract files from your phone and have full control over your phone and even windows machines.  

Q: But it’s not just the Syrian government that is working on its cyber capabilities, right?

The Syrian Electronic Army is not alone. The media may be more inclined to focus on [the government], but they’re not alone.

The Syrian opposition also has hacker groups targeting one other, targeting other opposition groups and targeting activists. The Islamic State also tried for a while tried to build its own cybersecurity capabilities.

There is a group called Revolution Hackers, which carried out some attacks against other opposition groups with opposing political affiliations. In Idlib, I know some people who were taken from their homes and arrested for their online activities—which means that [rebel factions] are also targeting users there.

Last year, the Facebook account of Arif Dalila was compromised by an opposition hacking group which used his account to target other secular opposition figures.

Q: There are always rumors of an amnesty from Bashar al-Assad once the Syrian government takes back the lion’s share of Syria. Even so, many are concerned that perceived dissidents will face retribution and revenge on a large scale.

My question for you is: If a mass attack were to happen as you’re predicting, what might that look like? Is there a precedent?

Definitely. In 2011 and 2014, the Syrian Electronic Army literally targeted every single social network user, either by applying some surveillance techniques on the network or by targeting them with phishing, spear phishing links or malware, so it was en masse.

[Ed.: Phishing is a cyber attack by which a user is tricked into typing their login credentials into a fake site that mimics a genuine one, thereby stealing their information. Spear phishing works on the same principle, but refers to the specific targeting of individuals.]

Mass cyber attacks means compromising emails, targeting social network accounts, releasing malware, maybe purchasing new, more advanced surveillance technologies and pushing fake TLS certificates [Ed.: certificates issued by third-party authorities demonstrating a site’s authenticity] against websites like Facebook or Gmail to steal usernames and passwords.

Q: You mention malware attacks, but can the Syrian government just intercept traffic from Whatsapp and Facebook?

Facebook and WhatsApp are both encrypted. What the Syrian government can know is that this user is connected to Facebook or WhatsApp or whatever, and that’s it—unless the person is publishing public content without privacy settings on their page.

But when they target users with malware, it helps them bypass this restriction and actually see all the activities you do on your smartphone or laptop.

Q: What should Syrian journalists and activists, whether inside or outside of the country, do to protect themselves? What methods can they use to not only protect themselves, but also their sources, for example?

Let me give you an example.

In 2011, the Syrian Electronic Army targeted a foreign aid worker. After they targeted this person’s machine, they started targeting other journalists and other foreign aid workers who were working on Syria through the aid worker’s contacts. The SEA used the aid worker’s machine and accounts, such as email or social network accounts, to spread malware. It was so effective.

You might hear some funny stories about how stupid the Syrian government and their security officers can be. One of my favorite jokes is when an officer stops a Syrian at a checkpoint asks to see his Facebook—that is, his literal, hardcopy “face book.”

But as much as you hear these kinds of things, the Syrian government is no joke when it comes to cybersecurity. A lot of foreign journalists underestimated the Syrian government and ended up in jail—or at least their sources ended up in jail.

First, common sense is really important. Before using any application or using any software, just ask yourself if the software is secure or not. When you download applications, only do so from the original source, from the App Store or Google Play. Do not download any external software from external sources.

Secondly, I know people love clicking on links, but really think about it before clicking. Just check the link—is it legit? Is it http-slash-youtube-dot-com-slash-something, or youtube-dot-com-dot-X-dot-whatever-dot-org? Check before clicking on it.

If you are suspicious of something, ask someone technical to look at it. Do not take action by yourself.

Third, enable two-step authentication on everything: on Gmail, on WhatsApp.

Imagine you’re a journalist and you’re using a Syrian phone number. It takes the Syrian state one minute to reach one of the SIM cards and activate your WhatsApp on another phone. They have access to it. So try to enable two-factor authentication on every single app you use: Facebook, Twitter, Gmail or whatever. And do not use these apps unless it’s with an activation code.

For example, Gmail provides you with Google Authenticator, which is an external app you can install on your phone and it will generate you a code. You should try to use these apps in order to prevent the Syrian government from reading your text messages.

Q: What about, hypothetically, someone who is a pro-opposition activist but lives in the heart of Damascus and browses the internet frequently, using Syrian government infrastructure as you said before. Beyond the common-sense approaches that you mentioned, how does someone like that make sure they are not being monitored or under threat?

Again, the exact same things we talked about, the same steps that any journalist would take to protect themselves. At the same time, they also have to encrypt their internet traffic, which means that as long as you’re using the Syrian electronic services, it’s important to use VPN or Tor when you are using the internet.

[Using a VPN or Tor browser] will provide you with an encrypted tunnel you can bypass your traffic through to prevent the Syrian government from seeing or monitoring your traffic. So VPN and Tor are good solutions in this case, plus what we talked about before.

Q: There have been whispers among analysts in recent months that, especially with Russian backing, the Syrian government is really working towards buffing up its online presence—its cyber presence, for lack of a better word.

What’s the general outlook for the future? How do you see the role of cyber attacks evolving in the next few years? Any specific scenarios in mind?

Russia has its own operations when it comes to Syria. A lot of people are saying that Russian hackers are helping the Syrian government. And they might help them on the strategic decision-making level, they might give them some advice on what approaches to use to target users, that makes sense, but when it comes to technology, we never saw any similarities between the two states.

I don’t think the Syrian Electronic Army needs Russian help. I’m not kidding.

But I think the next move for the Syrian state will be targeting foreign states or Syrians who are in touch with foreign states—so high-profile missions, activists and governments involved in the Syrian war. I think that these will be the next targets, plus maybe misinformation campaigns.

Russian cyber activities when it comes to Syria is all about misinformation: fake news websites here and there, targeting Arabic- and English-speaking readers. I think the Syrian government is going to use the same approach. Fake news is a big thing, and I believe the Syrian Electronic Army will be doing that [next].

Justin Clark

Justin studied Arabic at Western Michigan University. He continued his studies at Bethlehem University in the West Bank and the Qasid Institute in Jordan. Justin's work and studies have taken him to Jordan, the West Bank, Egypt and Greece.