In a post on the F-Secure Labs blog, Chief Research Officer Mikko Hypponen says the firm received a hard drive image from a “contact” within Syria who believed that his computer had been compromised. An F-Secure analysis of the drive’s contents and Web history revealed evidence of a targeted attack that used a malicious Skype chat link to install a copy of Xtreme RAT, a remote access tool that’s commercially available online.
The Syrian government of Bashar al-Assad is in the midst of a months long military crackdown on a popular uprising that began in January, 2011 as part of a wave of protests throughout the Middle East in what has been termed the “Arab Spring.” The government has deployed military forces and heavy artillary to defeat a Sunni-muslim led opposition – which it calls “armed terrorist groups” – in cities like Homs. The brutal campaign, which is estimated to have killed between 12,000 and 17,000 civilians, has attracted international condemnation and sanctions.
But the Syrian government isn’t relying solely on military means. A number of independent sources have identified a campaign of digital surveillance, as well. In February, CNN reported on the use of custom malware, including Trojan Horse programs and targeted attacks to push the malware onto machines of opposition activists. The attacks often occur via chat sessions, with regime supporters posing as opposition members or using the accounts of opposition members who have been arrested.
In the case of the activist whose system was analyzed by F-Secure, the attack came by way of a Skype chat from the account of a fellow activist who had been taken into custody, Hypponen wrote.
“We have reasons to believe this infection wasn’t just bad luck. We believe the activist’s computer was specifically targeted,” he wrote.
Moreover, the malware called out to an IP address that belongs to the Syrian Arab Republic — STE (syrian Telecommunications Establishment).
In a conversation with Threatpost, Hypponen said that the activist who was targeted became suspicious after realizing that the person with whom she’d been chatting had been in custody at the time their Skype chat took place.
He said the program that was installed – XTreme RAT – was one of dozens of commercially available remote access tools available online, but wasn’t one that F-Secure had seen used in government-linked attacks previously. However, its not uncommon for such attacks to use commodity malware, which provides cover for governments that are doing the spying, Hypponen said. “If someone figures out they’re infected, it will just look like a regular (Trojan) that might be used to steal credit card numbers, not like something done by the Syrian government,” he said.
Attacks linked to the Chinese government and People’s Liberation Army have likewise relied on commercial malware kits like GhostRAT and Poison Ivy, he noted. To counter such attacks, activists and political dissidents should be on high alert for malware attacks: using non-Windows systems, whenever possible, and talking by phone or in person with fellow dissidents to verify that online contacts are who they say they are.
Hypponen said that targeted cyber attacks on political opposition is common in places like Syria and Iran, where the government is anxious to keep on top of popular uprisings, as it was in Egypt prior to the fall of Hosnei Mubarak. Still, he said the trend is worrying.
“If you would have told me ten years ago that you’d have governments spreading malicious software to spy on their citizens, I wouldn’t have believed it. It’s like something out of a Hollywood movie,” he said.
