More than two years into the Syrian conflict, the violence continues both on the ground and in the digital realm. Just as human rights investigators and weapons inspectors search for evidence of chemical weapons, EFF, and the University of Toronto’s Citizen Lab have been collecting, dissecting, and documenting malicious software deployed against the Syrian opposition.

Citizen Lab security researchers Morgan Marquis-Boire and John Scott-Railton and EFF Global Policy Analyst Eva Galperin today published their latest technical paper, “Quantum of Surveillance: Familiar Actors and Possible False Flags in Syrian Malware Campaigns.” The report outlines how pro-government attackers have targeted the opposition, as well as NGO workers and journalists, with social engineering and “Remote Access Tools” (RAT).

“We’re deeply concerned by the reemergence of pro-government malware targeting online activists in Syria,” the authors write. “The malware campaigns appear to be becoming more and more sophisticated, incorporating greater levels of social engineering.”

The attacks analyzed include:

  • An attacker who hijacked the Facebook page of the “Revolution Youth Coalition on the Syrian Coast,” and posted a malicious link disguised as investigation of the death of a well-known opposition commander (image right). The attacker then deleted comments warning users of the malware.
  • An NGO administrator received an email purporting to contain video evidence of the Syrian military abuses. The file displayed a graphic execution video and covertly installed RAT malware that captured keystrokes and screenshots.
  • New attacks from a group that Citizen Lab flagged in June, now using live social engineering to entice targets to click malicious links and download malware. One example includes the attacker sending the target a message about documents and maps showing the movements of fighting groups.
  • A new Mac OSX Trojan of unknown origin that announces itself as coming from the Syrian Electronic Army. Because the pro-government hacker group denies involvement in the attack, and because of its unusual design (Macs are uncommon in the region), the researchers have reason to believe it may be a “false flag.”

"Opposition groups continue to be targeted with phishing and malware attacks by pro-Assad hackers, but the attacks are getting curiouser and curiouser," Galperin said. "Up until now, the campaigns have all been very similar to one another. Now we're starting to see attacks that don't fit into these patterns but seem to deliberately implicate pro-Assad hackers."

Citizen Lab and EFF warn Syrians to be wary of opening email attachments and to be especially careful when clicking on links posted to Facebook and YouTube.

"As the physical conflict in Syria continues to escalate, the dangers posed by this type of digital targeting become more and more real," Marquis-Boire said. "A compromised computer can put a Syrian user's life in jeopardy. These attacks also produce a serious chilling effect on Syrian social-media, with users unable to discern the difference between relevant news content and malicious downloads."

Read the full report here.