Hackers sympathetic to Syrian President Bashar Assad successfully stole confidential information from opposition groups by posing as women on online chat forums and luring their victims to download spyware, according to a new report by cybersecurity group FireEye.
The hackers -- described as “femme fatale” avatars in the report -- took on female identities to lure Syrian rebels into online conversations on services like Skype, and stole gigabytes of data. The hackers, according to the report, sent files containing images of the “women,” and once the victim opened the file, viruses would be automatically installed on the device used for the chat, sending data back to the hackers.
“The threat group created several Skype accounts with female avatars to target (male) individuals in the Syrian opposition,” the FireEye report said. “The female avatars, which had generic but country-appropriate names and profile images, would develop a rapport with the victim before sending a malicious file. The female avatars approached their targets with a series of personal questions that appeared to be part of a script.”
The hacking occurred between November 2013 and January 2014 when the hackers stole 7.7 gigabytes of data. The stolen data revealed “the Syrian opposition’s strategy, tactical battle plans, supply needs, and troves of personal information and chat sessions belonging to the men fighting against Syrian President Bashar al-Assad’s forces,” the report said.
“While we do not know who conducted this hacking operation, if this data was acquired by Assad’s forces or their allies it could confer a distinct battlefield advantage.”
The hackers also used social media to tempt targets by creating a fake Syrian opposition website, which would include women’s profiles with links to a “LiveCam ID” as well as Facebook accounts. Clicking on the “LiveCam ID” would direct the user to a page including a malicious software, or malware, while clicking on a Facebook link took the user to a fake Facebook login page that was actually a phishing page used to collect private credentials, according to FireEye.
Some of the victims appeared to be located within opposition-controlled areas of Syria, while others were located in other countries, including Lebanon, Jordan and the Persian Gulf, the report said.
"Unlike other threat activity that we have profiled, this is not just cyber espionage aimed at achieving an information edge or a strategic goal. Rather, this activity, which takes place in the heat of a conflict, provides actionable military intelligence for an immediate battlefield advantage," FireEye said, in the report.