Syria's Cyberwar

Computer viruses that spy and are written for a specific cyber espionage mission and campaign; Compromise. The virus’s passes information captured from infected target computers to a server at a government-owned telecommunications company in Syria.

The campaign, based on identify theft and data obtained, supporters of the Assad regime steal the identities of opposition activists, then impersonate them online in social media and chat gaining trust of other activists and spread the virus. Once on the victim’s computer, the malware sends information out, infecting the computers of other opposition activists, opening the door to more identity theft, expanding the scope and obtaining more data and impact.

The virus, backdoor.breut, which is simple and can download online, is readily available for download on underground forums on the Internet. All that is required is to edit the code to change its characteristics.  Backdoor.breut attempts to give remote control of the victim’s computer. Its purpose is to steal passwords and system information, silently downloads new programs, manipulates internal processes, and incorporates keystroke logging, takes shots with the webcam and attempts so shut down any running anti-virus program. That is just the tip of the proverbial cyber-iceberg.

A new global race is emerging and maturing: electronic surveillance arms. The Syrian regime had built a surveillance system last year to monitor and control, text messaging, e-mail, and Internet use.   The government has ordered blocks on text messages which contain politically sensitive terms such as “revolution” or “meeting” or “demonstration,”.   A unit of the Syrian intelligence apparatus, known as “Branch 225,” is the controlling force that issues instructions on which messages to block, and when to block in an effort to track down opposition activists.

he Syrian security communications branch, codenamed “Branch 225,” is the command hub for all telecommunications security in Syria.   Branch 225 has direct connectivity with mobile phone operating companies, Internet service providers, communications companies, ICT, as well as critical infrastructure organizations that manage with electricity and water. Branch 225 also controls the Telecommunications Establishment (STE), which is the main communications establishment in Syria which in turn controls all ISPs and landlines within Syria.   Effectively, the regime owns and controls its area of cyberspace and is leveraging people, processes and technology to actively thwart or track down dissidents, activists and protestors.

So where does backdoor.breut connect?  And what is the connection?— The Virus sends the information it obtains from infected computers to the IP address: 216.6.0.28 and does not hide this technical fact. A simple IP lookup finds that the IP can be linked to the Syrian Telecommunications Establishment, the STE.

The filtering has inhibited antigovernment protestor’s ability to leverage social media and technologies that helped organize and dissent in other countries across the Middle East and topple dictatorial regimes in Tunisia, Egypt and Libya. Social media may not have been the end all but it did accelerate the process.

Let’s not forget that before twitter and Facebook, government dissidents and protestors during the cold war era, in the old Soviet Eastern bloc, Warsaw Pact countries, in particular Poland’s Solidarity Movement managed the same protests without social media enablement. Solidarity was a broad anti-bureaucratic social movement. “Solidarność” was the first non-communist party-controlled trade union in a Warsaw Pact country.   During its time, Solidarity reached 9.5 million members and constituted a full one third of the total working age population of Poland. All without Social Media. The question can asked, how would Social Media accelerated the movement; a movement that ultimately led to the breakdown the Soviet Union.   The question must also be asked, how would the movement have reacted to Social Media?

Within Syria, and other Arab Spring nations, the Internet and the technologies employed are enablers; they provide inertia and a forming effect and are by definition bidirectional. It provides an opportunity for citizens within these states to also communicate amongst themselves and with the outside world.

That is a game changer. As is the silent cyber war being conducted.

For all the praise that social media received in toppling Arab dictators during the Arab Spring uprisings this year, few paid attention to these regimes’ practice of enlisting hackers and cyber warriors to support entrenched governments. While the Egyptian government was attempting to fully shut down Internet access in the country, regimes in Iran and Syria were busy using the internet, leveraging technology and social media while recruiting their own “cyber armies” to fight back against pro-democracy bloggers, Twitter accounts, YouTube and Facebook users.

The Syrian state and regime has had a monopoly over all media and telecommunications since the Baathist military coup of 1963. Information in any dictatorial regime is strictly controlled. While the Internet is an unchallenged source of news and the Syrian version of the Arab spring and its uprising has been progressing through the use of social media. However, this use has a backend effect.

The Syrian regime has used tools to disable access social media sites such as Facebook, and twitter which were and are blocked inside Syria, manipulating results and access through Branch 25. Blocking however, prevented the tracking down of activists, so the regime ultimately responded by unblocking sites such as Facebook, YouTube and twitter.   This move enabled the regime’s security apparatus to conduct its internal cyber war against its own people and had aided in the track down of the identities of activists.

The Assad regime “established” the Syrian Electronic Army (SEA), which has been launching internal attacks against Syrian activists as well as external opponents including the Al-Jazeera TV website, among others.   A collective of pro-Assad, pro-government hackers and online hacktivists has been targeting dissidents and opposition members in Syria, as well as sympathizers outside of the country. Although the SEA denies any affiliation with the government, President Bashar al-Assad openly referenced the SEA hacking group in a June 20th speech by Assad stated that “young people have an important role to play at this stage, because they have proven themselves to be an active power. There is the Electronic Army which has been a real army in virtual reality.”

The SEA stated on its website that it was honored for the mention in the Presidential speech but restated the fact that it is not affiliated with the Syrian government.   However, the SEA continues to claim responsibility for defacing or compromising websites that it contends to be hostile to the Syrian regime.   During this uprising the SEA has also infiltrated Syrian political opposition Facebook pages and replaces the original content with SEA logos and post pro-regime messages.

The Army’s online activities are organized around three main kinds of effort: defacement attacks against Syrian opposition websites, defacement attacks against Western websites, and spamming popular Facebook pages and the identification of activists and dissidents. Despite this and despite the advantages offered by online social networking, demonstrators continue to risk their lives protesting in the streets.

As the Syrian conflict continues to make headlines, and as battles occur in the streets, another silent and unseen battle between government supporters and opponents is going on in cyber-space.