The December 2013 attacker’s tools differed from those used previously to target the Syrian opposition army members. These attackers employed a diverse malware toolset that implied access to development resources. They used both widely available and custom malware to breach their targets. Although the December 2013 attackers used a known tactic of deploying DarkComet Remote Access Trojan, they used a multistage dropper not observed previously. The group also used a key logger and custom tools with shell code payloads.
Despite the array of software tools and techniques at their disposal, the attackers did not use software vulnerabilities to deliver malware to their targets. Instead, they relied on a variety of social engineering techniques to trick victims into infecting themselves. They regularly asked targets about the devices they were using, whether PC or Android phone, so they could deploy malware specifically for that device. This is the first instance of any attackers targeting the Syrian opposition using Android malware. This attack is also unique to date in leveraging the Metasploit Framework, custom malware tools YABROD and CABLECAR, and Android malware. Targeting Android devices was beneficial in the case of Syrian opposition members, where members rely heavily on mobile devices for communications.
The attackers used social engineering to trick victims into infecting themselves by running malware disguised as a legitimate file. In some cases the file appeared to be valid software installation program. In other cases, the group used the non-printable Unicode right-to-left override character to make executable files appear as PDFs, JPGs, or other non-malicious content. In each case, the lure file was actually a self-extracting RAR archive, typically containing a decoy file and a second, password-protected SFXRAR that contained the actual malware.
While there is insufficient information to determine the identity of the attackers or the nature of ties to Syrian backed forces, there are indications that the group was resourced outside Syria. The malware used by this threat group does not share any command and control servers with previously reported activity documented by research groups including Kaspersky, Trend Micro, CitizenLab, and the Electronic Frontier Foundation. Amongst the records of the activity are numerous references to Lebanon.
The malware that the female Skype contacts and social media profiles encouraged their victims to download shared the same host server as malware distributed through a website, seemingly indicative of being supportive to the Syrian opposition.
Excerpted and rewritten from FireEye Threat Intelligence, Behind the Syrian conflict’s digital front lines, February 2015.
State sponsored cyber attacks are intrinsically meant to remain low profile and prolonged because of their long term and significant national objectives. However there is another breed of attacks that also achieve national objectives in an indirect way but do not necessarily have state actors behind them.
Attacks below the state sponsored level are more like a wide net thrown out at sea and then subsequently checked to ascertain the catch, summarises Lovet from FortiGuard Labs. “The duration spans over months rather than years, and the coding is much more amateurish. The attacks that are both loud and ethically debatable, such as DDoS attacks, are usually not directly state owned, even if states unofficially support them.” The catch in the net, are then assessed to check for the types of vulnerabilities they posses, and the focus is on the most interesting, vulnerable machines, belonging to a state-owned agency.
“A lot of attacks that we see today may or may not be linked to a state or government. Quite often these groups are acting autonomously but may be inspired by a government. If you want to make a parallel it is like small partisan groups who associate and align themselves with a higher target, but perform operations by themselves,” explains Help AG’s Solling. The benefit for governments having such semi-state sponsored cyber attack programmes is that they can deny any involvement at any time.
Other than state and national level objectives, cyber attackers are increasingly turning to cyber crime. “The adoption of specialised skill sets and professionalised business practices by these criminals is steadily increasing the complexity of cyber crime by providing actors of all technical abilities with the necessary tools and resources to conduct cyber crime,” says Florian Malecki, International Product Marketing Director, Network Security Dell. “Not only are criminals advancing their abilities to attack a system remotely, but they are becoming adept at tricking victims into compromising their own systems.”
Industrial control systems, which operate the physical processes of a country’s pipelines, railroads, and other critical infrastructures, are at elevated risk of cyber exploitation. “Critical infrastructure faces a growing cyber threat due to advancements in the availability and sophistication of malwares and the fact that new technologies raise new security issues that cannot always be addressed prior to adoption,” explains Malecki. As a result the increasing automation of critical infrastructures provides more cyber access points for adversaries to exploit. The severe consequences of systems failure triggered by a cyber attack in a critical infrastructure organisation can be as devastating as a large scale, state sponsored attack, using conventional warfare.