CSS CYBER DEFENSE PROJECT

Hotspot Analysis The use of cybertools in an internationalized civil war context: Cyber activities in the Syrian conflict

Zürich, October 2017

Version 1

Risk and Resilience Team Center for Security Studies (CSS), ETH Zürich The use of cybertools in an internationalized civil war context: Cyber activities in the Syrian conflict

Authors: Marie Baezner, Patrice Robin

© 2017 Center for Security Studies (CSS), ETH Zürich Contact: Center for Security Studies Haldeneggsteig 4 ETH Zürich CH-8092 Zürich Switzerland Tel.: +41-44-632 40 25 [email protected] www.css.ethz.ch

Analysis prepared by: Center for Security Studies (CSS), ETH Zürich

ETH-CSS project management: Tim Prior, Head of the Risk and Resilience Research Group; Myriam Dunn Cavelty, Deputy Head for Research and Teaching; Andreas Wenger, Director of the CSS

Disclaimer: The opinions presented in this study exclusively reflect the authors’ views.

Please cite as: Baezner, Marie; Robin, Patrice (2017): Hotspot Analysis: The use of cybertools in an internationalized civil war context: Cyber activities in the Syrian conflict, October 2017, Center for Security Studies (CSS), ETH Zürich.

2

The use of cybertools in an internationalized civil war context: Cyber activities in the Syrian conflict

Table of Contents

1 Introduction 5

2 Background and chronology 6

3 Description 9 3.1 Attribution and actors 9 Pro-government groups 9 Anti-government groups 11 Islamist groups 11 State actors 12 Non-aligned groups 13 3.2 Targets 13 3.3 Tools and techniques 14 Data breaches 14 Website defacement 14 DDoS 15 Malware 15

4 Effects 17 4.1 Social effects 17 4.2 Economic effects 18 4.3 Technological effects 18 4.4 International effects 19

5 Policy Consequences 20 5.1 Raising awareness of propaganda and radicalization online 20 5.2 Incentivizing social media to better control content 20 5.3 Improving cybersecurity 20 5.4 Monitoring the evolution of the conflict 20

6 Annex 1 22

7 Annex 2 28

8 Glossary 29

9 Abbreviations 30

10 Bibliography 31

3 The use of cybertools in an internationalized civil war context: Cyber activities in the Syrian conflict

use of cybertools in the context of conflicts. The goal is The use of cybertools also to understand how victims handled and responded to attacks in order to learn from their experiences and in an internationalized be able to prepare for similar situations. civil war context: Description

During the Arab Spring, Syrian dissidents saw an Cyber activities in the opportunity to claim more freedom. However, unlike in Tunisia and Egypt, their protests did not achieve the Syrian conflict overthrow of the Syrian President Bashar al-Assad, but instead resulted in civil war. The various groups of actors involved in the war have used cyberspace not only to Targets: Government institutions and pro- promote their ideologies, but also to target their government groups, anti-government enemies or enemies’ associates and partners with groups excluding Islamist groups, website defacement, Distributed Denial of Service Islamist groups, third-party states, attacks and spying malware delivered via spear phishing third-party organizations, and media emails. outlets.

Tools: Distributed Denial of Service1, website Effects defacement, data breaches,

misinformation, various freely Effects of cyber activities conducted in the available malware (e.g. DarkComet context of the Syrian civil war have been observed at RAT, njRAT, XtremeRAT both the domestic Syrian level and at the international Backdoor.breut, BlackWorm, level. The effects on Syrian society were marked by NanoCore, ShadowTech RAT propaganda campaigns on social media and a blurring of DroidJack), a customized malware, a the distinction between combatants and non- malicious Android application, spear combatants. Economic effects were felt through the phishing emails, fake social media login direct and indirect costs of Distributed Denial of Service pages and fake websites with malicious attacks and website defacements, but also due to the links. drop in the stock market value after a false message was Effects: Propaganda and misinformation on posted on the hijacked Twitter account of Associated social media and defaced websites, Press. Technological impacts were limited due to the low internationalization of the conflict sophistication of the cyberattacks. through cyberspace, drop in stock At the international level, the effects were mainly market due to defacement, use of characterized by the international nature of both the malware in support of ground victims and perpetrators of cyberattacks. Also, the operations. conflict did not escalate in cyberspace and spill over into Timeframe: From spring 2011 and still ongoing with the physical realm. Cyberattacks remained of low a hot phase from 2011 to 2014. intensity and focused mainly on harassment and

espionage. Syria attracted considerable international attention during the Arab Spring, when the government Consequences violently repressed protests. The demonstrations escalated into a civil war, which was simultaneously The consequences that can be derived from the conducted in cyberspace. Pro-government, anti- context of the Syrian conflict in cyberspace mostly relate government and Islamist groups fight each other online to increasing awareness of propaganda and using cybertools such as website defacement, radicalization on social media and incentivizing social Distributed Denial of Service attacks and malware. media stakeholders to better control contents posted on This report examines cyber activities in the their platforms. This report also recommends that state context of the Syrian civil war. It also studies the impacts actors improve their cybersecurity through awareness- of cyberattacks on Syrian society, the economy, building campaigns and technological solutions. Finally, technology and at the international level. the analysis suggests that the development of the Syrian The aim of this hotspot analysis is to develop a conflict and its actors both on the ground and in better understanding of the possible mechanisms of the cyberspace should be closely monitored.

1 Technical terms written in italic are explained in a glossary in Section 8 at the end of the document.

4 The use of cybertools in an internationalized civil war context: Cyber activities in the Syrian conflict

Section 4 studies the effects of the cyberattacks on Syrian society. These were characterized by 1 Introduction propaganda on social media trying to discredit enemies, an internationalization of the conflict through activities During the Arab Spring in 2011, cyberspace conducted in cyberspace by sympathizers of either side played a significant role in the development of anti- to the conflict, and an increase in mistrust among government protests and the spread of democratic members of anti-government groups targeted by ideas. In 2000, when Bashar al-Assad became Syria’s impersonation of social media accounts. The second leader, only 0.2% of the Syrian population used sub-section examines the economic effects of the computers. The number of users significantly increased cyberattacks. These can be summarized as the direct to reach 22.5% in 2012 (Grohe, 2015). The growth of and indirect costs of Distributed Denial of Service (DDoS) internet users in Syria and the start of the Arab Spring in and defacement attacks and by the stock market’s Tunisia and Egypt emphasize the role of cyberspace in negative reaction to false information posted on the the Syrian conflict. The use of hotspots to evaluate each hijacked Twitter account of Associated Press. Sub- concrete case can support the theoretical and abstract section 3 investigates the technological effects of concepts of cybersecurity. This hotspot analysis cyberattacks carried out during the Syrian civil war. examines the cyber-dimension of the Syrian civil war. These technological impacts are identified as physical During the Arab Spring, it became evident that tampering with internet functionality by the Syrian cyberspace was often used to organize protests and government and the fact that cyberattacks were demonstrations against the Tunisian and Egyptian generally not sophisticated, relying on malware that is governments. This also occurred during protests in Syria, easily available online. and relevant activities evolved into platforms for gaining The last sub-section looks into the impacts of the domestic and international support for both the anti- cyberattacks at the international level. The analysis government and the pro-government groups. demonstrates that the cyberattacks taking place in the The study of this hotspot is relevant because it context of the Syrian conflict affected people and illustrates how the use of cyberspace evolved from a businesses internationally, but that perpetrators may context of domestic unrest to civil war involving a variety also have originated from outside Syria. It also shows of actors. This hotspot is also placed into the context of that the use of malware mainly focused on gathering international tensions between local rival states and information to support the battlefield and notes that major powers such as the USA and Russia. Western states imposed international economic The aim of the analysis is to describe how victims sanctions on Syria. of cyberattacks were affected and how they responded. Finally, Section 5 provides a number of This document will be updated as new elements are recommendations to state actors in order to decrease discovered or significant changes occur. The goal is to the risk of falling victim to similar cyberattacks. It keep the document up to date with current issues and describes how state actors can improve their to stay as accurate as possible. This study will also be cybersecurity and decrease the impact of propaganda by used in a future, broader report that will compare raising awareness and creating incentives for social different hotspots and recommend measures to states media to better control contents. It also suggests that on how to improve their policies if faced with similar states should monitor the evolution of the Syrian situations. conflict and its cyber-dimension in order to avoid being The report will proceed as follows. Section 2 caught unaware by potential similar attacks in the describes the historical background and chronology of future. the Syrian civil war. It summarizes the main events of the conflict as well as the various peace talks and cyberattacks that have occurred since 2011. In Section 3, the report portrays the main actors in the Syrian conflict that are active in cyberspace, their targets and the tools and techniques they use. It demonstrates that the Syrian conflict is a highly complex environment with numerous actors sometimes using the same tools and techniques such as spear phishing2, website defacement or easily available Remote Access Tools (RAT)3.

2 Technical terms are explained in a glossary in Section 8 at the end of 3 Abbreviations are listed in Section 9 at the end of the document. the document.

5 The use of cybertools in an internationalized civil war context: Cyber activities in the Syrian conflict

2 Background and 09.2007 With Operation Orchard, Israel launches a cyberattack to disable the chronology Syrian anti-aircraft system. This cyberattack enables the Israeli air Both the historical background and chronology of force to conduct an airstrike on a Syrian politics, the Arab Spring and the Syrian civil war nuclear facility in Deir el Zor in are important in understanding the context within Northern Syria (Associated Press, which cyber activities unfolded throughout the conflict. 2011). Syria’s Ba’athist government managed to remain 19.12.2010 An unemployed Tunisian sets himself in power for 40 years on a foundation of secularism and on fire to protest against the Tunisian powerful repression of the opposition. With the Arab government. In conjunction with Spring, the opposition saw its opportunity to demand WikiLeaks revelations regarding the greater freedom and more democracy. President Assad Tunisian authorities, his action causes was prepared for such a contingency and violently protests by young Tunisians. This repressed the protests while surveilling internet and event is considered to be the starting other communications. The country slipped into a civil point of the Arab Spring. war, which also took a religious turn. The conflict 14.01.2011 The Tunisian President flees to Saudi appears to have further evolved into a proxy war Arabia. between Shias supported by Iran and Lebanon against 17.01.2011 In Egypt, a man sets himself on fire to Sunnis supported by Saudi Arabia, Turkey and Qatar. protest against economic conditions This international dimension is important in and to provoke similar protests as in understanding the dynamics and evolution of the Tunisia (Blight et al., 2012). various international tensions and peace talks as well as 08.02.2011 After seeing the civil unrest in other the development of the war on the ground and in Arab countries, al-Assad promises cyberspace. The latter evolved in parallel to the physical elections, greater press freedom and theater but has always remained at a rather low the end of the ban on Facebook and intensity. The bulk of relevant cyber activities consists of YouTube (Williams, 2011). propaganda on social media, publicity gained through 11.02.2011 Egyptian President Hosni Mubarak website defacement and some cyberespionage steps down and hands over power to campaigns. After 2015, the amount of cyberattacks the army. decreased to almost completely disappear, as 16.02.2011 Protests against Gaddafi start in international intervention against the Islamic State of Libya. Iraq and Syria (ISIS)4 and other developments shifted the 18.03.2011 The United Nations (UN) Security numerous actors’ priorities away from cyberspace. Council agrees on a resolution

authorizing intervention in Libya to Rows colored in gray refer to cyber-related protect civilians. The next day, the incidents. intervention by a coalition of 17

states starts in Libya. Date Event 19.03.2011 Protests for more political freedom 03.1963 Hafez al-Assad, an Alawi (a Shia and the end of the reign of the Ba’ath branch of Islam) and father of Bashar party erupt in Syria. The Syrian al-Assad, is part of a group of security forces open fire at protesters Ba’athist army officers who take and kill four of them in the southern power in Syria. city of Daraa, causing the unrest to 02.1970 Hafez al-Assad, defense minister, spread to other cities (Blight et al., overthrows the Syrian President. 2012). 10.1973 Syria goes to war against Israel with 04.2011 The Syrian Electronic Army (SEA) is Egypt. created (Fisher and Keller, 2011). 1994 Bassel al-Assad, elder brother of 19.04.2011 To calm his population, President Bashar al-Assad and heir to Hafez, Assad agrees to lift a 48-year-old dies in a car accident. emergency law. 06.2000 Bashar al-Assad becomes President 25.04.2011 The Syrian government deploys tanks after his father’s death (BBC News, in several cities to confront 2017a). protesters.

4 ISIS is also known as the Islamic State of Iraq and the Levant, the Islamic State and Daesh.

6 The use of cybertools in an internationalized civil war context: Cyber activities in the Syrian conflict

05.2011 The SEA launches its first cyberattack 30.06.2012 The Geneva I conference on Syria with a DDoS attack on OrientTV5. takes place with representatives of 09.05.2011 The European Union (EU) issues an the USA, China, Russia and the United arms embargo against Syria. Kingdom and the former UN General 19.05.2011 The EU and USA impose sanctions on Secretary Kofi Annan. The conference Syria in response to President Assad’s ends with a proposal for a transitional violent repression of the protests. government (BBC News, 2012). 23.05.2011 The EU imposes sanctions specifically 08.2012 US President Obama warns that the targeting President Assad and other use of chemical weapons would members of the Syrian government. provoke a US intervention in Syria. 04.06.2011 Internet access is shut down by the 11.2012 The National Coalition for Syrian Syrian government (Blight et al., Revolutionary and Opposition Forces 2012). is created in Qatar but does not 20.06.2011 Syrian President Assad refers to the include the Islamist militias. The USA, SEA in an interview on Syrian France, the United Kingdom, Turkey television, but the hacker group and Gulf states recognize the immediately responds with a coalition as the legitimate statement on its website that it is not government of the Syrian population connected to the Syrian government (BBC News, 2017a). (Fisher and Keller, 2011). 29.11.2012- The Syrian government shuts down 07.2011 Deserters from the Syrian Armed 01.12.2012 the Internet for three days (Chulov, Forces who took refuge in Turkey 2012). create the Free Syrian Army (FSA) (Al 05.2013 Syria accuses Israel of conducting an Jazeera, 2017). airstrike near Damascus (Grohe, 08.08.2011 King Abdullah of Saudi Arabia recalls 2015). The US firm Network Solutions his ambassador from Syria and LLC seizes hundreds of Syrian demands President Assad stop the websites’ domain names registered bloodshed. to Syrian organizations, including the 02.09.2011 The EU extends its sanctions against SEA website. The seizure takes place the Syrian government. in the context of the 2012 US trade 6 02.10.2011 Various opposition groups gather to sanctions against Syria . form the Syrian National Council 21.08.2013 Rockets filled with the nerve agent (SNC). Sarin are used in various suburbs of 22.10.2011 Libyan President Gaddafi is killed Damascus and kill hundreds of (Blight et al., 2012). civilians. The Syrian government 12.11.2011 Syria is expelled from the Arab League accuses the opposition forces and because of its violent repression of vice versa (Bouckaert, 2013). the protests. The League also issues 09.2013 UN inspectors conclude that chemical sanctions against Syria. weapons were used in the attack of 28.11.2011 A report to the UN Human Rights Ghouta. Under international Council accuses the Syrian pressure, President Assad agrees to government of crimes against dispose of his chemical weapons (BBC humanity. News, 2016). 02.2012 The UN proposes a draft peace plan 10.2013 The Commander of the Iranian Cyber with the support of China and Russia War Headquarters, the cyberunit of (BBC News, 2017a). The Anonymous the Iranian Revolutionary Guard hacker group declares war against the Corps (IRGC), who is suspected of Syrian government and the SEA. assisting the SEA, is assassinated. The Israeli secret services, the Mossad, is accused by Iranian authorities (Grohe, 2015, p. 144).

5 For a detailed table of the cyberattacks since the beginning of the These questions will not, however, be discussed in this document. Syrian civil war, see Annex 1 in Section 6. Further information on this topic can be found on this website: https://krebsonsecurity.com/2013/05/trade-sanctions-cited-in- 6 The seizure of domain names by the Network Solutions LLC raises hundreds-of-syrian-domain-seizures/ further questions with regard to international internet governance.

7 The use of cybertools in an internationalized civil war context: Cyber activities in the Syrian conflict

12.2013 The USA and United Kingdom 08.2016 The Turkish forces and FSA launch suspend their support for the FSA operation Euphrates Shield to push when it is reported that Islamist ISIS back from the Turkish border militias have raided FSA bases. (BBC News, 2017b). 22- The Geneva II Conference on Syria 25.09.2016 The USA accuses Russia of war crimes 31.01.2014 ends in failure when the Syrian in Syria. government refuses to discuss the 03.10.2016 The USA suspends its participation in terms of a transitional government. the Syrian ceasefire talks with Russia 06.2014 ISIS declares the creation of a because of Russia’s role in helping caliphate in the territory extending Syrian government forces retake from the city of Aleppo to the eastern Aleppo. In return, Russia suspends its province of Diyala. participation in a 2013 agreement on 09.2014 The USA and five Arabic states launch nuclear energy research and airstrikes against ISIS in the region of development and withdraws from a Aleppo and Raqqa. 2010 agreement on cooperation in 01.2015 The Turkish army pushes ISIS troops the conversion of research reactors to out of Kobane (BBC News, 2017a). low-enriched uranium fuel (Klion, 02.2015 The Anonymous collective declares 2016; World Nuclear News, 2016). war against ISIS (Ruhfus, 2015). 15.10.2016 Representatives of the USA, Russia, 09.2015 France extends its airstrike on ISIS Saudi Arabia, Turkey and Qatar meet positions from Iraq to Syria (Shaheen in Lausanne, Switzerland, for talks et al., 2015). about peace plans in Syria 30.09.2015 Russia starts to launch airstrikes (Wroughton and Winning, 2016). against ISIS targets following an 16.11.2016 Russia withdraws from the official request by the Syrian International Criminal Court (Reuters, government (BBC News, 2017a). 2016). 10.2015 The USA stops its program to train 12.2016 The Syrian Armed Forces retake the Syrian anti-government groups (Al city of Aleppo in northern Syria with Jazeera, 2017). the help of Russian air power and Shia 13.11.2015 Terrorists with sworn allegiance to militias supported by Iran (BBC News, ISIS attack several locations in Paris 2017a). (Shaheen et al., 2015). 19.12.2016 The Russian ambassador to Turkey is 24.11.2015 A Russian plane is shot down by the assassinated by a police officer Turkish air force (BBC News, 2015). protesting against Russian DDoS attacks targeting websites using involvement in the Syrian conflict the Turkish root Domain Name (Walker et al., 2016). System (DNS) “.tr” are attributed to 01.2017 Iran and Turkey agree to implement a Russia in retaliation for the downing ceasefire between the opposition and of the fighter jet (Murgia, 2015). the Syrian government at a 12.12.2015 The Syrian Armed Forces retake the conference in Kazakhstan (BBC News, city of Homs in Western Syria. 2017a). 02.2016 The Geneva III peace talks on Syria 23.02.2017 The Geneva IV Conference on Syria start and are suspended three days resumes discussions to find a solution later. for peace (BBC News, 2017c). 03.2016 The Syrian Armed Forces recapture 28.02.2017 China and Russia veto a UN Security the city of Palmyra in the center of Council resolution to sanction Syria Syria with the help of Russian aircraft for the alleged use of chemical (Wintour and Walker, 2016). An SEA weapons (Reuters, 2017). member is arrested in Germany and 30.03.2017 Turkish forces end operation extradited to the USA in May 2016 Euphrates Shield in northern Syria (Cimpanu, 2016). (BBC News, 2017b). 04.03.2016 Russian President Putin orders the 05.04.2017 The Syrian government allegedly withdrawal of the bulk of the Russian targets the town of Khan Sheikhoun forces in Syria because the mission is north of Homs with nerve agent considered to have been largely chemical weapons. accomplished overall (Wintour and Walker, 2016).

8 The use of cybertools in an internationalized civil war context: Cyber activities in the Syrian conflict

07.04.2017 The USA reacts to the use of chemical 3 Description weapons by bombing a Syrian military base (Graham-Harrison, 2017). This section describes the different actors participating in the Syrian conflict in cyberspace, their targets, and the tools and techniques they use. The aim is to better understand who is against whom in the highly complex context of the Syrian conflict. Another goal is to provide details of the tools and techniques that were used in cyberspace during the conflict, who used them and why7.

3.1 Attribution and actors

During the six years of civil war in Syria, the actors have evolved and changed in response to the events of the conflict. This adds to the already existing difficulty of attributing cyber activities. Attribution is normally based on the “cui bono” (to whose benefit) logic. This also implies that it is not possible to be 100% sure that an actor benefiting from a cyberattack is indeed its perpetrator. In addition, due to language limitations, this hotspot analysis relies mainly on Western media, cybersecurity reports and academic articles. These references have a specific point of view that others may not share. It is therefore important to bear in mind that there is always the possibility that evidence has been manipulated by one actor to deliberately implicate another. The actors have been categorized into five groups: pro-government groups, anti-government groups, Islamist groups, state actors, and non-aligned groups.

Pro-government groups

In the first category, there are various groups that perpetrate cyber activities in support of the Syrian government. Five groups8 of pro-government actors have been identified to have been active in cyberspace throughout the conflict: the Syrian government itself, the SEA, the Syrian Malware Team (SMT), the Electronic National Defense Forces (ENDF), and groups acting from outside Syria, which regroup, one operating from Lebanon, and another identified as Group5 allegedly working from Iran.

The Syrian government

The Syrian government is composed of the Syrian military intelligence in which Branch 225 is responsible for monitoring internal and external communications (Syrian Network for Human Rights, 2013). Syrian President Assad understood early in 2011 that protests in Egypt and Tunisia succeeded in overthrowing their

7 Annex 2 at the end of the document summarizes the actors and their 8 Other groups have also been observed during the conflict, but were targets as well as the tools and techniques they use. not significant enough to be considered in this document.

9 The use of cybertools in an internationalized civil war context: Cyber activities in the Syrian conflict

leaders because the governments did not crush the Russia, suggesting that the groups is a loose association demonstrations early enough. The Assad government rather than a fixed organization (Al-Rawi, 2014). was already known before the war for censoring The SEA is active on the main social media internet content in the country. For example, YouTube platforms to promote its actions and support the Syrian and Facebook could not be accessed in Syria until government (Warren and Leitch, 2016). Grohe (2015) February 2011 (Noman, 2011). Furthermore, in Syria, argues that the Syrian government uses the SEA as a there are twelve internet providers that operate under counter-narrative to social media publications posted by the government-owned Syrian Telecommunications anti-government actors. The official SEA website was Establishment (STE). As soon as the protests started, created and first registered with the Syrian Computer Syrian President Assad chased foreign journalists out of Society (SCS), i.e. the Syrian authority registering the country to control the press coverage of events (Lee, internet domain names, in May 2011. During the first 2016). These measures enabled the Syrian government year of the conflict, the SEA created a Syrian Hackers to control internet access, implement censorship and School Facebook page, from which people were able to perform cyberespionage. More than once, the Syrian download and learn how to use a tool for launching government shut down internet or cell phone networks DDoS attacks against BBC News, Al Jazeera, OrientTV for several days in order to stop protesters posting and Al-Arabyia TV. At the beginning of the war, the videos, images or comments about events on social group’s actions consisted mostly of the use of website media. The Syrian government also used malware to spy vulnerabilities for defacement with pro-government on dissidents and built its own surveillance system in messages and images. Between 2011 and 2015, it 2015 to control and monitor text messages, emails and defaced hundreds of websites. internet use. The system is said to be able to block text As the war moved on, the SEA’s technique messages or emails containing specific words (Zaluski, improved, which suggests that it received help from the 2016). Syrian government, from Iran or Russia, both of which support the Syrian government. Reporters Without The Syrian Electronic Army Border argues that the SEA is used as a cyberintelligence tool by the Syrian government (Al-Rawi, 2014). In 2013, The SEA9 was created in May 2011 and was the after the US-based internet domain name registrar most visible cyberactor in the Syrian civil war. However, Network Solutions LLC seized hundreds of Syrian domain its relation to the Syrian government remains unclear. In names from the SCS, the SEA registered its website in June 2011, President Assad thanked the SEA for its Russia in order to keep it active. Internet domain names actions in a speech on Syrian television, but the group were part of the banned services included in the US later clarified on its website that it had no ties with the trade sanctions against Syria (Al-Rawi, 2014; Gallagher, Syrian government. However, it operates from Syria, 2013). After 2013, the number of cyberattacks which suggests that, even if it is not part of the Syrian perpetrated by the SEA decreased and stopped military, it at least enjoys tacit support from the Syrian altogether in June 2015. In fact, the group shifted its government (OpenNet Initiative and InfoWar Monitor, focus from hacktivism to cybercrime. In 2016, the US 2011). Warren and Leitch (2016) argue that the SEA acts Federal Bureau of Investigation (FBI) added two SEA as a proxy group for the Syrian government and is under members to its list of wanted cybercriminals. A member the authority of the Syrian government. Grohe (2015) of the group, Peter Romar, was arrested in Germany in adds that it became Syria’s de facto cyber force because March 2016 and was extradited to the USA, where he of all the attention it attracted through its operations, as will be tried (Kobrak, 2017). it always advertises and claims responsibility for its attacks. Al-Rawi (2014) continues that the SEA also The Syrian Malware Team attracts patriotic hackers and/or script kiddies who want to take part in the conflict, but do not want to be The Syrian Malware Team (SMT) is a pro- associated with the Syrian government. It is therefore government group of hackers using RAT. It might be an unclear whether the SEA is a loose association of SEA branch, or at least some of its members have ties to patriotic hackers or operates under a more centralized the SEA. According to the cybersecurity firm FireEye, the and organized structure. In an operation against the group was first observed in January 2011 and was still Syrian government, the hacktivist group Anonymous active in July 2014 (Wilhoit and Haq, 2014). exposed five alleged SEA members, revealing that one of them was operating from Romania and another from

9 The SEA also uses the names: ArabAttack, Shadow, The Pr0, Saqer Syria, Sy Team and al3rab (OpenNet Initiative and InfoWar Monitor, 2011).

10 The use of cybertools in an internationalized civil war context: Cyber activities in the Syrian conflict

The Electronic National Defense Forces identified to be active in cyberspace: The Supreme Council of the Revolution (SCR), FSA10, and the Hackers The Electronic National Defense Forces (EDNF) is of the Syrian Revolution (HSR). These groups have been a group said to be the technical wing of the Syrian less visible in cyberspace probably due to both a lack of National Defense Forces, a pro-government militia resources and coordination among themselves. operating throughout Syrian territory (Lund, 2015). The militia was created by the merger of several smaller The Supreme Council of the Revolution groups in 2012, but its electronic unit was probably created at the same time as its Facebook page in August The SCR can be linked to the Supreme Council of 2013. The group is active on Facebook to lure opposition the Syrian Revolution (SCSR), which is an opposition members into providing their social media login group sitting on the Syrian National Council (SNC)11. credentials. They then use this data to access accounts However, it is unclear if the SCR is in reality the SCSR, if and post pro-government messages in the victims’ it has ties to the SNC or not. The group allegedly hacked names (SecDev Foundation, 2013a). into Syrian President Assad’s email accounts and his wife’s (Booth et al., 2012). The hacker of the email Groups operating from outside Syria accounts is alleged to be Abdullah Hachim Shammani, who operates an information network in Arabic (Ahmad, Two pro-government groups have been 2012). identified to be operating from outside Syria. The first group, which allegedly originates from Lebanon, carried The Free Syrian Army out hacking operations between November 2013 and January 2014. Its technique was to lure opposition The FSA was created in July 2011 by Syrian Armed members on Skype with a female avatar. They would ask Forces deserters who fled to Turkey. It is a decentralized victims to download a photo infected with a RAT. They organization that brings together several opposition also used fake social media pages with download links to groups but does not include Islamist groups. The FSA infected software or images. The Command and Control receives support from Western and Gulf states (BBC (C&C) servers used for these activities were located News, 2013; Lee, 2016). Its use of cyberspace is mostly outside Syria, and the perpetrators made several aimed at promoting the group’s cause and reporting the references to Lebanon both in their conversations with Syrian government’s atrocities on social media. The FSA victims and in the malware script. These elements led was also involved in DDoS attacks against Syrian FireEye experts to believe that this is a group from government websites and Syrian state-owned media Lebanon. If this is indeed the case, the group may be tied websites (Lee, 2016). to Hezbollah, whose members are said to have attended internet and social media training courses in Syria The Hackers of the Syrian Revolution (Regalado et al., 2015). The second group allegedly comes from Iran and The HSR group appears to be composed of four has been named Group5 by researchers at Citizen Lab in hackers; it targets mainly computer infrastructures of Toronto. Group5 has been observed since October 2015 the Syrian government. It is believed to have attacked and targets members of anti-government groups. The the Syrian Ministry of Oil and Mineral Resources and the group sent emails which seemed to come from Syrian Virtual University, although the nature of the legitimate non-governmental organizations (NGOs), but attack is unknown. The HSR accessed and released a list contained a Microsoft Office PowerPoint presentation of people investigated by the Syrian General Security infected with a RAT. It also runs a website that emulates Department in relation to opposition activities (SecDev the design of other opposition websites and contains Foundation, 2013b). links to infected documents. Both the website and the C&C servers are hosted outside Syria. An obfuscation Islamist groups tool known to be used by Iranians was used together with the RATs, as was a Persian-language tool. These Islamist groups opposing the Syrian government elements led the Citizen Lab experts to assume that are considered to be separate from the opposition Group5 was an Iranian actor (Scott-Railton et al., 2016). because they are not included in the SNC and also target anti-government groups. There are just as many Islamist Anti-government groups groups as opposition groups, but three can be distinguished by their activities in cyberspace: the It is believed that there are more than 1,000 anti- cyberwing of ISIS, called the Cyber Caliphate; the government groups in Syria, but only three have been

10 The FSA is also known as the Supreme Military Council of the Free 11 The SNC is also known as the Syrian National Transitional Council or Syrian Army. the National Council of Syria.

11 The use of cybertools in an internationalized civil war context: Cyber activities in the Syrian conflict

cyberbranch of Jabhat al-Nusra12; and the cyberunit of technical division responsible for cyberattacks (Stanford the militia Ahrar al-Sham. These groups are not University, 2017), but there is very little information on coordinated and do not fight the same enemy; they even it. It is said to be behind cyberattacks on the SEA and fight against each other in the physical and cyber realms. Syrian media (Zelin and Lister, 2013).

The Cyber Caliphate State actors

The Cyber Caliphate was created in 2014. It State actors consist of states involved in the appears to be the cyberunit of ISIS, but its affiliation to Syrian conflict in cyberspace. Iran, Turkey and Israel are that Islamist group remains unclear. This ambiguity is neighboring countries affected by the Syrian conflict. based on the possibility that the group may be only an Russia intervenes in support of the Syrian government, ad-hoc organization rather than an effective branch of and the USA is part of a larger operation against ISIS that ISIS. ISIS is a Sunni fundamentalist group that is conducted in Iraq and Syria. Both Russia and the USA established a proto-state on territory in Syria and Iraq. It are part of the international coalition against ISIS. was observed that the Cyber Caliphate was mainly active between 2014 and 2015, when ISIS was in full control of Iran its territory (Graham-Harrison, 2015). Later, its activity in cyberspace decreased, probably due to the group’s As a Shia religious state, Iran supports Assad, who stronger focus on military ground operations rather than belongs to the Alawite minority in Syria, a Shia branch of on cyber activities. Islam. The conflict in Syria can be described as a proxy Hackers of the Cyber Caliphate operate from war between Shias (Iran) and Sunnis (Saudi Arabia). Iran both abroad and from ISIS territory. Their most famous fears that if the Syrian government falls, a revolution in individual is a British hacker, Junaid Hussain, who was Iran may follow. Iran supports Assad’s government and convicted for accessing Tony Blair’s personal address pro-Assad militias with military training and equipment, book in 2012. advisors and financial resources (Lee, 2016; Lund, 2015). As an alleged cyberwing of ISIS, the group is The leak of Assad’s emails in 2012 revealed that responsible for social media propaganda used for the Syrian President received advice from Iran on how recruitment and fundraising, maintaining the internet in to handle demonstrations (Booth et al., 2012). Iran is ISIS-controlled territories and educating ISIS members known to have a large cyberbranch in the IRGC that may on cybersecurity (ZeroFOX Team, 2015). have trained Syrian forces and Hezbollah in Lebanon. It was reported that some members of the IRGC were also The cyberbranch of Jabhat al-Nusra integrated in Syrian forces. In October 2013, the commander of the Iranian Cyber War Headquarters was Jabhat al-Nusra is a fundamentalist Sunni group assassinated for allegedly providing support to the SEA that was created in the context of the anti-government (Grohe, 2015). However, misinformation was circulated protests in 2011. The group was associated with al- online about the cooperation between Iran and Syria Qaeda in Iraq from 2012, but publicly separated itself in (Duggan, 2015). July 2016. They have also been seen as rivals of ISIS since their separation in 2013 (Clarke, 2016; Haid, 2016). This Turkey Islamist group appears to have a cyberunit called the Jabhat al-Nusra Electronic Army, which has run its own Turkey’s involvement in the Syrian conflict stems Facebook page since 2013. However, the affiliation from its geographical position as a neighbor, from the between the Islamist group and the hacker group has influx of Syrian refugees across the border and from the not been confirmed. The hacker group targets mainly perceived risk emanating from the Kurdish population government forces (SecDev Foundation, 2013b). living near the border. Turkey’s role in cyberspace in the context of the conflict remains unclear. Nevertheless, The cyberunit of Ahrar al-Sham Turkish citizens were targeted by ISIS propaganda and recruitment campaigns (Gurcan, 2016). Turkish websites Ahrar al-Sham was founded in December 2011. were also victims of DDoS attacks allegedly conducted This Sunni fundamentalist group intends to overthrow by Russia in retaliation for the downing of a Russian Assad’s Syrian government and replace it by an Islamic fighter jet in November 2015 (Murgia, 2015). government. On the ground, they cooperate with al- Nusra and Turkey against ISIS. They receive financial support from Turkey and Saudi Arabia. The group has a

12 Jabhat al-Nusra is also known as Al-Nusra Front or Jabhat Fateh al Sham.

12 The use of cybertools in an internationalized civil war context: Cyber activities in the Syrian conflict

Israel Anonymous

Israel’s role in the conflict is based on its Anonymous is a decentralized hacktivist neighboring location and rivalry with Syria as a local association that supports internet freedom. In power. Israel is known to have significant cyber November 2012, Anonymous declared war on the Syrian capabilities, but none have so far been disclosed during government after it shut down internet and mobile the Syrian conflict. Israeli intelligence services were phone services to prevent the opposition from accused of allegedly assassinating the commander of communicating (Bennett-Smith, 2012). In other the Iranian Cyber War Headquarters in 2013 (McElroy campaigns, they also targeted ISIS and states financing and Vahdat, 2013). ISIS (Calpito, 2015; Hamill, 2014).

Russia Oliver Tucket

Russia is allied to the Assad government and Oliver Tucket is the pseudonym of a US hacker physically intervened in Syria against ISIS in September who has targeted the Syrian government’s servers and 2015. Russian support mainly takes the form of leaked government documents and communications. equipment and air support, and Russian action in He accessed Syrian government website servers and cyberspace consists of propaganda and espionage redirected users to other pages. He was annoyed by the campaigns focused on gathering information on anti- amount of publicity that the SEA received in comparison government groups and NGOs, with spying malware to its limited technical skills. He is also said to have been being delivered by spear phishing emails and fake motivated to act against the Syrian government for websites with malicious links (Jones, 2016). It is alleged moral reasons. He does not claim any association with that Russia intervened in cyberspace by launching DDoS Anonymous and has stated that he wanted to show that attacks against Turkish websites to retaliate against the anybody with an internet connection could take part in shooting down of a Russian plane by the Turkish air force the conflict (Grohe, 2015; Peterson, 2013). (Murgia, 2015). The group APT28, which is said to have ties to the Russian government, defaced the French 3.2 Targets television channel TV5 Monde with pro-ISIS messages (Ruhfus, 2015). Cyberattacks carried out in the context of the Syrian civil war have been aimed at a diverse range of The United States of America targets located both inside and outside Syrian territory. They can be grouped into six categories according to The USA leads the international coalition against their association with the various actors in the conflict ISIS in Syria and in Iraq. It provides training, equipment and their geographical locations: government and air support to anti-government forces. The USA institutions and pro-government groups; anti- considered using cybertools against infrastructures in government forces excluding Islamist groups; Islamist Syria, but the idea was abandoned because of fears of groups; third-party states; third-party organizations; retaliation against the USA or its allies by Syria, Iran or and media outlets. These groups may have been Russia (Sanger, 2014). targeted by more than one perpetrator. Government institutions consist of Syrian Non-aligned groups governmental institutions, networks and websites. They experienced mostly DDoS, defacement and data This category consists of third-party non-state breaches. They were targeted by anti-government actors who became involved in the Syrian conflict forces and Islamist groups as part of the war effort to through cyberspace. It includes the hacktivist group collect information on government forces or simply to Anonymous and a US national named Oliver Tucket. discredit the government through propaganda There have also been other hacktivist groups involved in campaigns (Grohe, 2015; OpenNet Initiative and the conflict at various times, but only Anonymous had InfoWar Monitor, 2011). Other groups such as significant impact. For instance, the hacktivist group Anonymous and the hacktivist named Oliver Tucket Telecomix sent emails to members of the Syrian attacked the Syrian government to disclose information opposition containing advice on how to bypass internet about the war to the public, but also to disrupt access to shut-downs and links to online security tools, but the government networks and websites (Lee, 2016). Pro- group apparently did not get involved in any other government groups’ social media accounts were also proactive online activities (Weiss, 2012). targeted and defaced by anti-government and other groups (Grohe, 2015). Anti-government groups suffered cyberattacks from government forces and pro-government groups in

13 The use of cybertools in an internationalized civil war context: Cyber activities in the Syrian conflict

the form of propaganda, misinformation and website Other types of unfriendly cyber activities have defacement in order to discredit the anti-government been observed and grouped into four categories: data cause. They were also targeted in DDoS attacks aimed at breaches with disclosure of stolen documents; website hampering access to webpages and impairing groups’ defacement; DDoS; and espionage malware. The first ability to communicate or share up-to-date news about type of activity consists of collecting information government force positions. Anti-government groups through cybermeans and releasing it to the public with were additionally infected by RAT malware delivered via the aim of influencing public opinion. The next two phishing campaigns originating from government forces categories focus on disrupting the use of websites. and pro-government groups. This was to collect However, defacement is also oriented towards gaining intelligence on the members, structures and locations of publicity for a cause and is used as a propaganda tool. anti-government groups (Deegan et al., 2017). The fourth type of activity focuses on collecting Islamist groups were mostly targeted by the intelligence on an enemy’s hierarchy or location in order hacktivist group Anonymous. They sustained website to prepare for future kinetic attacks. defacement and DDoS attacks. The goal was to hamper Islamist groups’ access to certain websites to prevent Data breaches them from conducting recruitment and propaganda campaigns. These groups were also confronted with Data breaches and the disclosure of stolen social media websites closing their accounts. information occurred repeatedly throughout the Syrian Third-party states are also targeted by civil war. This type of activity entails entering a network cyberattacks originating from the Syrian conflict. This without the user’s consent and/or knowledge through category includes states that are both directly involved the use of malware, theft of login credentials or weak (e.g. by taking part in the international coalition’s anti- passwords. Data breaches can also aim at disclosing ISIS operations in Syria) and indirectly involved (e.g. by stolen information in order to influence public opinion. financing groups). Websites and social media accounts Theft of information happened about fifteen times of US institutions have been repeatedly defaced by the during the Syrian war, with ten incidents perpetrated by SEA and the Cyber Caliphate since 2011. Anonymous the SEA, one by an anti-government group, two by also targeted websites of states suspected of funding Islamist groups and two by Anonymous. ISIS, namely Turkey, Qatar and Saudi Arabia (Hamill, 2014). Website defacement Third-party organizations are private firms, international organizations and non-government Website defacement, which has been the most organizations. Some are directly involved in the conflict, frequently occurring cyberattack during the conflict, is while others are not, but are targeted because their regarded as cyberspace vandalism, as it involves website or network security is low, making them easy changing the appearance of a website or redirecting targets for opportunistic cyberattacks. This type of users to another webpage. Perpetrators exploit organizations was mainly targeted by the SEA and vulnerabilities in website structure by employing SQL sustained primarily defacement of their websites or injection to access the site server and obtain social media accounts (Al-Rawi, 2014). administrative rights to make changes. During the Syrian Media outlets are defined as a special category civil war, many social media pages were defaced to here because they were principally targeted by the SEA display propaganda messages. The techniques used by and anti-government groups. These groups attacked pro-government groups in the Syrian context consisted media outlets to protest about their reporting on the of luring victims into relinquishing social media login Syrian civil war, which they judged to be untruthful. credentials with phishing emails, fake login pages, and Media outlets were affected by defacement of their sometimes with the use of torture (Ruhfus, 2015). websites and/or social media accounts (Lee, 2016). Another technique used for defacing websites was DNS hijacking, which consists of substituting a website’s DNS 3.3 Tools and techniques server by another. Approximately 200 websites have been defaced since the beginning of the Syrian civil war. Since the beginning of the Syrian civil war, all of The majority was defaced by the SEA, but other, smaller the actors have used social media and online platforms actors have also used defacement. The goal of these to promote their causes with the aim to gain local and attacks was not to steal information, but to disrupt and international support for recruitment or funding. This harass the enemy, while spreading propaganda and technique does not require specific technological skills misinformation. The targeted webpages were mostly and is more focused on publicity than causing damage media outlets and other organizations such as NGOs or and is therefore not considered as a tool or technique in commercial companies. Some targeted webpages this report. belonged to companies without any affiliation to the conflict; these were simply chosen because of

14 The use of cybertools in an internationalized civil war context: Cyber activities in the Syrian conflict

vulnerabilities in their webpages (OpenNet Initiative and DarkComet RAT is able to activate webcams, disable the InfoWar Monitor, 2011). detection notification of antiviruses, record keystrokes, steal login credentials, delete and control files. It also DDoS has a DDoS capability (New Jersey Cybersecurity & Communications Integration Cell, 2016). The DarkComet DDoS attacks were used relatively infrequently RAT samples found in the context of the Syrian conflict during the Syrian conflict, compared to website were communicating with a C&C server located in Syria defacement. In a DDoS scenario, attackers overload a that belonged to the STE. website with requests causing a denial of access for DarkComet RAT was also delivered through other legitimate users. This technique has been mostly means. The perpetrator, a pro-government group, employed by the SEA, which developed a tool named would pose as a female anti-government activist and Bunder Fucker 1.0 at the beginning of the conflict in contact victims via Skype or Facebook messages. The order to target the websites of four media outlets: Al- attacker would then send a picture of the female avatar Jazeera, BBC News, Orient TV and Al-Arabyia TV. This containing the malware. When the picture was opened, tool was advertised for download on the SEA Facebook it installed DarkComet RAT on the computer. This page. The SEA also informed its followers on how and version of the malware, which communicated with a when to use the tool to launch attacks. An anti- C&C server outside Syria, is believed to have originated government group in turn transformed the tool to target in Lebanon (Regalado et al., 2015). When the developer pro-government media websites: Syrian General, the of the malware learned that pro-government groups Syrian organization for radio and TV, Addounia TV and used his tool, he stopped updating it and instead Syriarose (OpenNet Initiative and InfoWar Monitor, developed a removal tool that he published for free 2011). Attacks of this nature are mainly intended to (Geers and Alqartah, 2013). disrupt and harass the enemy. Later in the conflict, the emphasis was more on website defacement rather than njRAT DDoS, but the latter still occurred a number of times between 2013 and 2015. njRAT14 was the second most commonly found RAT in the context of the Syrian conflict. It was first seen Malware in June 2013 and was mainly used by cybercriminals in the Middle East. 80% of the C&C servers for njRAT are The use of dozens of different types of malware located in the Middle East and North Africa (New Jersey has been reported throughout the Syrian civil war. The Cybersecurity & Communications Integration Cell, cybersecurity firm FireEye reported that malware used 2017). The malware’s features consist of collecting in the context of the Syrian conflict mostly targeted anti- documents, making screenshots, gathering login government groups, media activists and humanitarian credentials, recording keystrokes, deleting files and actors working in Syria and in neighboring states activating the webcam and microphone. This RAT is also (Regalado et al., 2015). Malware was mainly deployed to capable of avoiding antivirus detection because of its collect information about victims of such attacks in encrypted architecture. The malware was used by the order to identify members of targeted groups, their Iranian group Group5 but also by other pro-government movements and communications for battlefield groups. They infected their victims via the use of spear advantage or for repression. The majority of malicious phishing emails or fake anti-government websites with applications was available on hacker forums either free malicious links that would download the malware onto of charge or for sale. Eight of these malware products users’ computers without their knowledge (Scott- targeted computers: Railton et al., 2016). In September 2013, a sample of the malware was DarkComet RAT found in a link on a Facebook page containing information on the death of a FSA cleric killed by ISIS in DarkComet RAT13 was the most commonly found July 2013. This sample communicated with a C&C server RAT linked to the Syrian conflict (Kaspersky Lab, 2014). located in Syria (Galperin et al., 2013). It was developed by a French hacker in 2011 and was In March 2014, a sample of njRAT was found in a freely available on surveillance forums. It was retrieved modified version of the censorship circumvention by pro-government groups and used against anti- software, Psiphon. The malicious version of Psiphon government groups (Ruhfus, 2015). The malware was looked exactly like the legitimate version but ran njRAT often hidden in a document sent to victims in spear in the background, which communicated with a C&C phishing emails. When victims opened the document, it server located in Syria. It is believed that it targeted would download the malware into their computers. Syrian anti-government groups, which often used

13 The malware DarkComet RAT is also known as Finloski. 14 The malware njRAT is also known as Bladabindi or Zapchast.

15 The use of cybertools in an internationalized civil war context: Cyber activities in the Syrian conflict

censorship circumvention tools such as Psiphon (Scott- information each time the computer is restarted, Railton, 2014). confirming the idea that the malware acts as a beacon. The level of sophistication is rather low, as it does not Xtreme RAT encrypt the emails it sends and does not try to conceal its activities. Experts from Citizen Lab assume that the Xtreme RAT has been available online for free developer and user of the malware is ISIS (Scott-Railton since 2010. It is capable of collecting and uploading files, and Hardy, 2014). making screenshots and activating microphones and webcams and was used mainly by cybercriminals against BlackWorm financial institutions (Villeneuve and Bennett, 2014). It was believed to have been used by the SEA against anti- BlackWorm is a malware developed by Naser al government groups, and by Jabhat al-Nusra against Mutairi from Kuwait, who also developed the NGOs and FSA members. Samples of the malware were aforementioned njRAT malware, and a developer found in emails sent to an NGO administrator and dubbed Black Mafia. There were two versions of the members of the FSA in October 2013 (Galperin et al., malware used in Syria by SMT. Both were able to 2013; Geers and Alqartah, 2013). communicate with C&C servers and download files from them as well as remotely restart computers, copy Nanocore themselves onto USB drives and steal login credentials. This malware is easily available via specialized forums NanoCore15 is a malware freely available online (Wilhoit and Haq, 2014). since December 2013. It is mostly used by cybercriminals and affected mostly US victims (Payet, 2014). In Syria, it ShadowTech RAT was mainly used by Group5, which used spear phishing emails and fake anti-government websites to infect their ShadowTech RAT is a widely available malware victims. The malware has the same cyberespionage used mainly by cybercriminals. In June 2013, it was functionalities as njRAT (Scott-Railton et al., 2016). found in a fake version of a Virtual Private Network (VPN) software named Freegate. Victims were Backdoor.breut encouraged to download the software on anti- government forums and social media pages. Once Backdoor.breut is a Trojan horse opening a downloaded, it would ask users to disable their firewall backdoor in victims’ computers. It is available online and to update the fake software and let ShadowTech RAT allows perpetrators to record keystrokes, steal login run freely in the background. credentials, activate webcams and microphones, and download and upload files in the compromised The malware used in the context of the Syrian computer (Liu, 2017). It is believed to be used by the civil war also targeted smartphones using the Android Syrian government to steal the login credentials of operating system: members of anti-government groups. Users would then impersonate their victims on social media pages and DroidJack send the malware to their victims’ contacts (Zaluski, 2016). DroidJack was developed from another Android RAT named SandroRAT, which was released on hacker The “beacon malware” forums in 2013. This malware is designed to intercept and steal messages, contacts and photos and activate A “beacon malware” was discovered in an email cameras and microphones remotely. It was used in Syria sent to the activist journalist group named Raqqah Is by Group5 and delivered through a fake update for Being Slaughtered Silently in November 2014. The email Adobe Flash Player (Scott-Railton et al., 2016). contained a slideshow, which would download the malware when opened. The malware looks for details of The Dawn of Glad Tidings the operating system of the victim’s computer and emails its Internet Protocol (IP) address to the The Dawn of Glad Tidings16 is an Android perpetrator. Experts from the Citizen Lab assume that application developed by ISIS in April 2014. It is an the choice to send information via email rather than to official app from ISIS that informed users about news a C&C server is due to the lack of internet connectivity related to ISIS via Twitter messages. The application in Syria. The malware deletes itself from the computer accesses the user’s Twitter account and posts messages when the slideshow is closed. It possibly resends the on their account. It enabled ISIS to gain attention on

15 The malware NanoCore is also known as Trojan.Nancrat. 16 The Android application was also known as Dawn.

16 The use of cybertools in an internationalized civil war context: Cyber activities in the Syrian conflict

Twitter and to build a network of botnets. The 4 Effects application was able to upload up to 40,000 messages a day. The purpose of this application was to spread This section details the effects of cyber activities propaganda and gain attention on social media carried out in the context of the Syrian civil war at the platforms (Berger, 2014; ZeroFOX Team, 2015). domestic and international levels. It analyzes how Syrian society was impacted by cyberattacks, what economic costs victims incurred due to these attacks, what technological damage was caused by the cyberattacks and what technological innovations have emerged from the conflict. At the international level, this section aims to explain the effects of the cyberattacks on international relations and international involvement in the Syrian conflict.

4.1 Social effects

At the social level, the information context in Syria is complicated. At the beginning of the protests against the Syrian government in 2011, Assad expelled all foreign journalists from Syria to prevent them from reporting on the demonstrations. The media in Syria and the information they reported were subsequently fully controlled by the government. President Assad’s aim was to isolate Syrians from outside information while shaping public opinion in his favor. At the same time, dissidents were using the internet and social media to report their side of events. Cyberspace became a place where the government as well as anti-government and Islamist groups were able to share their narratives of the war and spread their propaganda to gain domestic and international support. Each group tried to discredit the other groups through messages, pictures and videos posted on social media. They all attempted to gain publicity to rally the population and the international community to their cause, to recruit members or to raise funds (Lee, 2016). However, it remains difficult to verify the veracity of the posted allegations, pictures and videos. The SEA was particularly aggressive in this domain and has frequently defaced, spammed or attacked with DDoS the websites of media outlets that report negatively on the Syrian government (Fisher and Keller, 2011). Al-Rawi (2014) argues that the Syrian government used the SEA as a de facto public relations tool. The significant amount of disruptive attacks launched by the SEA also enabled it to gain visibility, to rally more moderate actors to its cause and to appear as a major actor. However, its unconfirmed relationship with the Syrian government allowed the Syrian government to deny any involvement in these activities. ISIS also used media and social media in Arabic and in other languages to gain visibility and access a wider audience. Its goal was also psychological warfare by instilling fear in its enemies by showing highly violent propaganda photos and videos (Siboni et al., 2015).

17 The use of cybertools in an internationalized civil war context: Cyber activities in the Syrian conflict

The internet and social media have made it easier of cyberattacks in the context of the Syrian civil war to organize protests and communicate them to a wider were defacements of Twitter accounts and media outlet audience than before. In the case of the Syrian civil war, websites, which mostly impacted their reputation. patriotic hackers, or any sympathizers of any other The defacement that had the most impact was groups, are able to take part in the conflict in the cyber perpetrated by the SEA on the Associated Press Twitter realm, provided they have the requisite technical account in April 2013. The hacker group posted false knowledge. However, these civilians would then be news about an explosion in the US White House and US considered as participants in the conflict and lose their President Obama being injured on the Twitter feed. status as non-combatants. This adds a new dimension to Within seconds from the message having been the conflict, as combatants are not permitted to target published, the stock market dropped by US$130 billion, civilians under international law. but recovered shortly after the news was refuted Hackers located in Syria are able to target (Grohe, 2015). The attack was not technically websites or networks abroad, which adds another sophisticated, as the SEA obtained login credentials international dimension to the conflict and carries the through spear phishing emails, but its economic risk that the civil war may escalate into an international consequences could have been disastrous. In this conflict. However, such actions by individuals or groups example, the cyberattack affected mostly citizens’ also benefit the Syrian government and non-state actors financial situation rather than government itself by promoting the various groups’ agendas. At the same (Deegan et al., 2017). time, hackers’ actions have few political or legal consequences. Both state and non-state actors are able 4.3 Technological effects to deny any association with perpetrators, arguing that these are individuals acting on their own initiative. During the protests and the conflict, the internet Moreover, if there is retaliation against individual(s), this was shut down several times by the Syrian government. does not affect the Syrian government or other non- The internet infrastructure in Syria is highly centralized state actors (Al-Rawi, 2014). with three submarine cables emerging in Tartous and Society is also affected by the hijacking of social one land cable between Turkey and Aleppo. These media accounts. Many social media accounts of digital gateways are controlled by STE, which enables members in anti-government groups were hijacked by the Syrian government to easily shut down the country’s the Syrian government or Islamist groups. The entire internet (Gady, 2013b). The goal of these perpetrators would steal their victims’ login credentials shutdowns was to prevent protesters from using various techniques such as fake login page links communicating among themselves and with the outside sent via email, or even through the use of torture. world. This forced the anti-government and Islamist Perpetrators would then log into their victims’ accounts groups to be creative and find other ways to and post pro-government materials and/or try to collect communicate. They connected to the internet through information on other anti-government members and satellite communications systems, but also relied on their locations (Gady, 2013a). This impersonation of VPN or other censorship circumvention software (Scott- members of enemy groups on social media not only Railton et al., 2016). However, these practices also put erodes trust among members, but also increases these groups at risk of being deceived with maliciously mistrust among the anti-government groups’ members repackaged programs, as was the case with Psiphon and Syrian society as a whole. People no longer know (Scott-Railton, 2014) and Freegate (Scott-Railton and whom to trust online and fear that they may be reported Marquis-Boire, 2013). These cases caused opposition to the authorities. Social media hijacking also detracts groups to lose confidence in such technologies and from the legitimacy and credibility of anti-government required them to be more cautious and creative when groups in relation to their partners and the Syrian downloading tools of this kind. population. The technology used in the various cyberattacks in the context of the Syrian civil war was not 4.2 Economic effects sophisticated. There were no discoveries of new malware families, apart from the beacon malware. The The most obvious economic effects from defacement attacks were also of rather low cyberattacks in the context of the Syrian civil war are the sophistication and relied mostly on known website costs caused by the DDoS and defacement attacks. For vulnerabilities and spear phishing emails. These attacks businesses, these attacks generate costs estimated to be show that actors can cause significant international US$22,000 per minute of website unavailability. The disruption even with low technological sophistication. average duration of a DDoS attack is estimated to be 54 minutes. These are only the direct costs, but such attacks also damage the reputation of the website and its owner(s) (Kenig, 2013; NSFocus Inc., 2016). The bulk

18 The use of cybertools in an internationalized civil war context: Cyber activities in the Syrian conflict

4.4 International effects anybody can claim to be part of any group, even if they are in fact thousands of kilometers away from Syria. The Syrian civil war started with protests in The conflict in cyberspace remained several cities, which were soon followed by DDoS and circumscribed and limited to support for operations on defacement attacks on media outlets and other the ground. Cyberattacks remained at a low intensity, as websites. The conflict in cyberspace also quickly they merely caused disruption rather than any physical affected non-Syrian websites, spreading the damage. The DDoS and defacements were aimed at cyberconflict internationally. Throughout the six years of harassing the enemy and disrupting media coverage of the war, various non-Syrian websites fell victims to the conflict. Malware was only used to gather defacement or data breach attacks by Syrian information on the enemy for battlefield preparation. perpetrators. The targeted websites were often media The lack of high-intensity attacks may have been due to outlets reporting on the Syrian conflict or companies a lack of cyber capabilities as well as a lack of time for somehow involved in the conflict (e.g. Viber, Truecaller preparing and developing such attacks (Gady, 2013a). or Tango), or targets chosen randomly because of The EU, the USA and the Arab League reacted to vulnerabilities on their websites. These attacks aimed to the Syrian government’s repression of protests by gain publicity but were not disruptive or damaging imposing economic sanctions and embargoes. Syria was enough to drag foreign state actors into the war. already subject to economic sanctions, but the brutal However, the war has an international dimension repression of the demonstrations in 2011 pushed states at both the physical and the cyber levels. There is a Shia to act and tighten sanctions. They agreed to impose front composed of Lebanon, the Syrian government and travel bans, freeze financial assets and issue embargoes Iran. Actors from Lebanon and Iran have been observed on certain goods and weapons. The sanctions damaged to support the Syrian government on the ground, but the Syrian economy, increased the number of Syrians also in cyberspace with training and campaigns targeting living in poverty and hampered humanitarian aid anti-government groups (Grohe, 2015). On the opposite (Khalek, 2016). The sanctions have little to do with side, there is a Sunni front composed of Turkey, Qatar cyberattacks, except for the seizure of approximately and Saudi Arabia, which support anti-government and 700 Syrian domain names by the US firm Network sometimes Islamist groups. Unlike the Shia support, Solutions LLC in 2013, which forced the SEA to host its assistance provided by Sunni states seems to be limited website in Russia (Grohe, 2015). to the physical realm and has not been transposed to cyberspace. Also, other major powers such as Russia and the USA seem to limit their support to physical operations. The USA considered launching a cyberattack on Syrian government infrastructures, but did not do so due to concerns about possible retaliation by Iran or Russia (Sanger, 2014), although the reason may also have been to avoid disclosing US cyber capabilities in relation to a target of low importance such as the Syrian government. Russia used propaganda campaigns to justify bombings and discredit the Western intervention against ISIS (Luhn, 2016). It has also used spying malware to gather information on anti-government groups and NGOs (Jones, 2016). A significant aspect of cyber activities in the context of the Syrian civil war is that any individual is able to take part in these attacks, as was clearly demonstrated by the case of Oliver Tucket, a US citizen who decided to hack into Syrian government networks (Grohe, 2015). This shows that it is easier for third-party actors to participate in a conflict through cyberspace than in the physical realm because of the anonymity provided by the attribution problem. Anybody with an internet connection can participate in a conflict with little risk of retaliation, whereas physically going to Syria to support either group is harder and costlier. This particularity increases confusion regarding the identity of cyberspace actors and the groups they support, as

19 The use of cybertools in an internationalized civil war context: Cyber activities in the Syrian conflict

5 Policy Consequences such incentives would be to prevent the repetition of events similar to the Associated Press Twitter account This section proposes several measures that hack and its results. Some states are already thinking states may wish to implement to reduce the risks of about incentives of this nature. The United Kingdom and malicious cyber activities from the Syrian civil war. Germany are considering fining social media companies that fail to remove posts promoting violence against a particular group, terrorism or extremism promptly. They 5.1 Raising awareness of propaganda argue that it is not a measure that restricts free speech, and radicalization online but rather a way to prevent the promotion of illegal activities (Bowcott, 2017). Ever since the start of the protests and the conflict in Syria, all actors have tried to gain domestic 5.3 Improving cybersecurity and international support by posting messages, pictures and videos online. However, it is difficult, if not A large number of cyberattacks carried out impossible, to verify the veracity of posted material. The during the Syrian civil war used spear phishing emails to media, governments and society as a whole therefore infect computers or steal login credentials, and it is need to raise awareness that posted documents can therefore recommended to increase awareness of this serve propaganda purposes and should be approached issue through education programs and technical critically. Propaganda and misinformation mainly seek solutions. Users need a better understanding of the to rally public opinion for the groups’ respective causes, consequences such emails and malicious intrusions into to recruit members and to raise funds. It is important for computer systems can have. Equipped with this kind of society to understand this issue and that it is difficult for knowledge, it is hoped that computer users would use democracies to counter propaganda or control what the their devices more cautiously. Sensitization campaigns media publish. could be used to teach people how to recognize fake In addition to the general propaganda tied to the emails and how to be more careful before clicking on actors in the conflict themselves, there is also the fact links or opening attachments, enabling them to identify that ISIS stands out from the others through a very well- malicious emails more easily. Institutions could also organized propaganda and psychological warfare establish simple standard operating procedures for apparatus. ISIS uses websites aimed at non-Arabic reporting malicious emails in order to react quickly and speaking audiences alongside magazines, social media minimize damage. and video games for propaganda and recruitment Technological solutions to assist users in (Siboni et al., 2015). ISIS understands the dilemmas that recognizing spear phishing emails include requesting democratic societies face regarding freedom of speech partners to implement email authentication systems and propaganda. Therefore, public awareness of ISIS such as the Sender Policy Framework (SPF). This propaganda and the risk of online radicalization needs framework supports users in identifying spear phishing to be increased. emails by certifying the authenticity of senders’ IP Sensitization campaigns in schools or other addresses. Another technical solution could be to use forums can be organized to assist the population in two-factor authentication systems, which can prevent recognizing propaganda and radicalization materials and malicious actors from logging in with stolen login maintaining a critical stance. It would also be important credentials, as it is normally only possible to steal one of for state authorities and media to expose and correct the two factors required during the login process. misinformation campaigns in order to contain any undesirable effects they may have (Paul and Matthews, 2016). 5.4 Monitoring the evolution of the conflict 5.2 Incentivizing social media to better The conflict has already lasted six years and is still control content ongoing. There have been various changes in the actors involved and in international interventions. There have A major issue that resulted from the posting of also been several failed attempts at building durable fake information on the hacked Associated Press Twitter peace in Syria through various negotiations. The account by the SEA was the negative market reaction to situation develops quickly, both on the ground and in the news. While the Dow Jones index soon recovered cyberspace. The SEA was an important online actor from having dropped by US$130 billion after the during the early stages of the war but has now defacement, the consequences could have been a lot disappeared from cyberspace. ISIS arrived later in the more serious. States should incentivize social media conflict but has been quite active in cyberspace with companies to improve login security and to quickly activities focusing mainly on propaganda and publicity remove false information or illegal content. The aim of rather than causing actual damage. Currently, ISIS’

20 The use of cybertools in an internationalized civil war context: Cyber activities in the Syrian conflict

financial resources are strained, and the group’s territory is shrinking. States should therefore monitor this Islamist group’s online actions closely, as it might be tempted to raise money through cybercrime activities (Graham-Harrison, 2015). Just as the SEA turned to cybercrime after the seizure of its website domain name by Network Solutions LLC in 2013, the Cyber Caliphate and ISIS might choose to finance their operations on the ground by targeting businesses or individuals with cybercrime tools. Iran also positioned itself as an important actor in cyberspace in the region. It has provided assistance to the Syrian government and needs to be monitored to support an analysis of its threat potential to other countries. International intervention is currently limited to airstrikes and training, but actors with significant cyber capabilities such as Russia, the USA, Israel or Iran may be tempted to intervene, if the situation changes on the ground or in cyberspace.

21 The use of cybertools in an internationalized civil war context: Cyber activities in the Syrian conflict

6 Annex 1

Non-exhaustive table of the various cyberattacks observed in the Syrian conflict:

G = Government and pro-government groups, A = Anti-Government groups, I = Islamist groups, S = Other states, O = Third-party organizations, M = Media outlets Date Victim Type of Alleged Technique/Tool victim perpetrator 05.2011 OrientTV M SEA DDoS (Fisher and Keller, 2011) 16.05- Hundreds of websites M/O SEA Defacement (OpenNet Initiative and 19.06.2011 InfoWar Monitor, 2011) 05.2011 Email account of Syrian G SCR Account access by obtaining the login President al-Assad and credentials from someone close to the his wife Assad family (Booth et al., 2012) or guessing the password, which was “1234” (Ahmad, 2012) 05.2011 Opposition Facebook A SEA Data breach and spamming (OpenNet pages Initiative and InfoWar Monitor, 2011) 06.2011 Opposition forces’ A SEA Defacement and posting of pro-Assad Facebook pages messages on the Facebook pages (OpenNet Initiative and InfoWar Monitor, 2011) 24.06.2011 French embassy S SEA Defacement (OpenNet Initiative and website InfoWar Monitor, 2011) 07.2011 Syrian Ministry of G Anonymous Defacement (Fisher and Keller, 2011) Defense 07.2011 University of California O SEA Defacement (Warren and Leitch, 2016) website 23.07.2011 Anonymous social O SEA Data breach (Fisher and Keller, 2011) media named AnonPlus 29.08.2011 The Atlantic website M SEA Spamming and trolling (Fisher and Keller, 2011) 30.08.2011 Wrong Facebook O SEA Defacement (Fisher and Keller, 2011) profile of Columbia University 26.09.2011 Harvard University O SEA Defacement (Coughlan, 2011) website 02.2012 Syrian State TV Station G/M Opposition Infiltration of the text-message service network Addounia forces (Weiss, 2012) 28.02.2012 Qatar Foundation S SEA Account access and posting of false Twitter account information (Al-Rawi, 2014, p. 423) 02.2012 Al Jazeera English M SEA Defacement (Pattar, 2013) 04.2012 Al Arabyia Twitter M SEA Account access and posting of false account information (Pattar, 2013) 26.04.2012 LinkedIn blog website M SEA Defacement (Messieh, 2012) 07.2012 Al Jazeera Twitter M SEA Phishing to obtain login credentials, account posting of pro-government messages and false information (Pattar, 2013) 07.2012 Opposition force A SEA Data breach and leak of information members (Warren and Leitch, 2016). 07.2012 Syrian government G Anonymous Data breach and leak (Apps, 2012)

22 The use of cybertools in an internationalized civil war context: Cyber activities in the Syrian conflict

Date Victim Type of Alleged Technique/Tool victim perpetrator 03.08.2012 Reuters website and M SEA Phishing to obtain login credentials, blog posting of pro-government messages and false information (Pattar, 2013) 05.08.2012 Reuters website, blog M SEA Phishing to obtain login credentials, and Twitter account posting of pro-government messages and false information (Pattar, 2013) 06.08.2012 A Russian official's S Opposition Account access and posting of false Twitter account forces information (Apps, 2012) 09.2012 Al Jazeera Arabic M SEA Phishing to obtain login credentials, posting of pro-government messages and false information (Pattar, 2013) 11.2012 Opposition forces A Unknown Start of phishing campaign using DarkComet RAT malware (Galperin and Marquis-Boire, 2012) 01.2013 Opposition forces A Unknown Phishing campaign disseminating a malicious link through a pro-opposition YouTube video (Scott-Railton and Marquis- Boire, 2013) 03.02.2013 Ministry of Transport S SEA Data breach (Bertram, 2017) of Israel 07.02.2013 Sky News Arabia M SEA Defacement (Bertram, 2017) 26.02.2013 Agence France-Presse M SEA Posting of false information (Bertram, Twitter account 2017) 01.03.2013 Qatar Foundation O SEA Posting of false information (Bertram, Twitter account 2017) 04.03.2013 France24 TV Twitter M SEA Phishing to obtain login credentials, account posting of pro-government messages and false information (Hopkins and Harding, 2013) 17.03.2013 Human Rights Watch O SEA Defacement and posting of false website and Twitter information (Bertram, 2017) account 21.03.2013 BBC Weather, BBC M SEA Phishing to obtain login credentials, Arabic and BBC Ulster posting of pro-government messages and Radio Twitter accounts false information (Tam, 2013) 03.2013 The Daily Telegraph M SEA Phishing to obtain login credentials, Twitter account posting of pro-government messages and false information (Taylor, 2013) 15.04.2013 US National Public M SEA Defacement, posting of false information Radio website and and data breach (Hopkins and Harding, Twitter account 2013) 20.04.2013 Gamerfood (software O SEA Defacement (Warren and Leitch, 2016) company) website 20.04.2013 CBS News Twitter M SEA Posting of false information (Bertram, account 2017) 22.04.2013 Sepp Blatter (former O SEA Phishing and posting of false information President of the (Hopkins and Harding, 2013) International Federation of Association Football) Twitter account 23.04.2013 Associated Press M SEA Phishing and posting of false information Twitter account (Harris, 2013)

23 The use of cybertools in an internationalized civil war context: Cyber activities in the Syrian conflict

Date Victim Type of Alleged Technique/Tool victim perpetrator 29.04.2013 The Guardian M SEA Phishing to obtain login credentials, posting of pro-government messages and false information (Hopkins and Harding, 2013) 03.05.2013 Qatar Armed Forces S SEA Data breach (Bertram, 2017) 04.05.2013 E! Online Twitter M SEA Posting of false information (Bertram, account 2017) 06.05.2013 The Onion webpage M SEA Phishing and defacement (Kerr, 2013) and Twitter account 17.05.2013 Financial Times M SEA Phishing and defacement (Pattar, 2013) webpage and Twitter account 24.05.2013 ITV Twitter account M SEA Phishing to obtain login credentials, posting of pro-government messages and false information (Warren and Leitch, 2016) 25.05.2013 The Android app from M SEA The app was compromised and defaced Sky News (Warren and Leitch, 2016) 05.06.2013 Turkish government S SEA Data breach (Bertram, 2017) networks 18.06.2013 Syrian state-owned G/M JNEA Defacement (SecDev Foundation, 2013b) Addounia TV Channel website 06.2013 Opposition forces A Unknown The Freegate (VPN tool) software was repackaged to deliver the ShadowTech Trojan (Scott-Railton and Marquis-Boire, 2013) 16.07.2013 Truecaller O/A SEA Data breach (Geers and Alqartah, 2013) (international telephone directory) 19.07.2013 Reuters Twitter M SEA Posting of false information (Bertram, account 2017) 21.07.2013 Tango (video and text O/A SEA 1.5 terabytes of stolen data (Geers and messaging service) Alqartah, 2013) 23.07.2013 Daily Dot News M SEA Defacement (Bertram, 2017) website 24.07.2013 Viber (Telephone O/A SEA Phishing to obtain login credentials and services) data breach (Geers and Alqartah, 2013) 06.08.2013 Channel4 Blog M SEA Defacement (Bertram, 2017) 14.08.2013 Facebook page of an A ENDF Posting of malicious link (SecDev anti-government Foundation, 2013a) Syrian cleric 15.08.2013 Outbrain (advertising O SEA Spear phishing and defacement (Warren service) and Leitch, 2016) 20.08.2013 Facebook page of an A ENDF Defacement (SecDev Foundation, 2013a) anti-government group 21.08.2013 ShareThis website O SEA Defacement (Bertram, 2017) 24.08.2013 Facebook page of an A ENDF Defacement (SecDev Foundation, 2013a) anti-government group 27.08.2013 The New York Times M SEA Defacement by DNS hijacking (Harris, website 2013) 29-30.08.2013 The New York Times M SEA Defacement by DNS hijacking (Harris, website 2013)

24 The use of cybertools in an internationalized civil war context: Cyber activities in the Syrian conflict

Date Victim Type of Alleged Technique/Tool victim perpetrator 29-30.08.2013 The Huffington Post M SEA Defacement by DNS hijacking (Manning British website and Grubb, 2013) 29-30.08.2013 The Twitter images M SEA Defacement by DNS hijacking (Harris, (Twimg.com) website 2013) 08.2013 SEA G Anonymous Data breach and leak of stolen information (Steier, 2013) 09.2013 Opposition forces A Unknown Infection campaign with njRAT through a Facebook page (Galperin et al., 2013) 02.09.2013 US Marine Corp S SEA Defacement (Harris, 2013) recruitment webpage 11.09.2013 Several Fox News M SEA Account access and posting of false Twitter accounts information (Bertram, 2017) 13.09.2013 Computer of a regional G JNEA Data breach (SecDev Foundation, 2013b) commander of the Syrian National Defense Forces 14.09.2013 Opposition forces A Unknown A malicious link on a pro-opposition Facebook page caused the njRAT malware to download (Galperin et al., 2013) 30.09.2013 The Global Post M SEA Posting of false information and deletion of website and Twitter website contents (Chuck, 2013) account 07.10.2013 NGO A Unknown, Phishing email containing a video with possibly Jabhat XtremeRAT malware (Galperin et al., 2013) al-Nusra 14.10.2013 Opposition forces A Unknown, Phishing email containing a message with possibly Jabhat XtremeRAT malware (Galperin et al., 2013) al-Nusra 21.10.2013 Qatar Domain Name O SEA Hack (Bertram, 2017) System 28.10.2013 Organization for Action O SEA Defacement redirecting towards Barack Gmail account Obama’s Facebook and Twitter accounts (Warren and Leitch, 2016) 09.11.2013 Vice webpage M SEA Phishing and defacement (Warren and Leitch, 2016) 12.11.2013 Matthew VanDyke (US M SEA Hack (Bertram, 2017) news reporter) Twitter account and email 15-18.11.2013 Anti-Shabiha (Alawite A SEA Defacement (Bertram, 2017) militia) website 29.11.2013 Time Magazine M SEA Defacement (Bertram, 2017) 11.2013 Opposition forces, A Unknown, Start of malware campaign using female media activists and possible links avatar on Skype to lure victims into humanitarian aid with Lebanon downloading malicious documents workers in Syrian (Regalado et al., 2015) 01.01.2014 Skype website, O SEA Phishing to obtain login credentials and Facebook and Twitter posting of false information (Warren and accounts Leitch, 2016) 11.01.2014 Xbox Twitter accounts O SEA Defacement (Warren and Leitch, 2016) 15.01.2014 15 Saudi government S SEA Hack (Bertram, 2017) websites 15.01.2014 A state-owned Saudi M SEA Hack (Bertram, 2017) magazine

25 The use of cybertools in an internationalized civil war context: Cyber activities in the Syrian conflict

Date Victim Type of Alleged Technique/Tool victim perpetrator 22.01.2014 Microsoft Office blog O SEA Defacement (Warren and Leitch, 2016) website 23.01.2014 CNN Twitter account M SEA Defacement (Warren and Leitch, 2016) 03.02.2014 EBay website O SEA Hack (Warren and Leitch, 2016) 03.02.2014 PayPal website O SEA Hack (Warren and Leitch, 2016) 06.02.2014 Facebook website O SEA Defacement by DNS hijacking (Warren and Leitch, 2016) 14.02.2014 Forbes website M SEA Phishing to obtain login credentials and posting of false information (Warren and Leitch, 2016) 17.02.2014 Forbes employees and M SEA Data breach of about one million email users addresses and passwords from Forbes users and employees (Bertram, 2017) 11.03.2014 Opposition forces A Unknown The Psiphon software (censorship circumvention tool) was repackaged to stealthily deliver the njRAT malware (Scott- Railton, 2014) 12.03.2014 3 FC Barcelona Twitter O SEA Hack and defacement probably because of accounts the club’s ties to Qatar (Bertram, 2017) 14.03.2014 US Central Command S SEA Defacement (Rosenblatt, 2015) 26.04.2014 RSA Conference O SEA Defacement (Bertram, 2017) website 06.05.2014 The Wall Street Journal M SEA Defacement (Bertram, 2017) Twitter account 18.06.2014 The Sun webpage M SEA Hack (Warren and Leitch, 2016) 18.06.2014 The Sunday Times M SEA Hack (Warren and Leitch, 2016) webpage 22.06.2014 Reuters webpage M SEA Hack (Warren and Leitch, 2016) 30.06.2014 Israel Defense Forces S SEA Defacement (Bertram, 2017) blog website 04.07.2014 Israel Defense Forces S SEA Posting of false information (Bertram, Twitter account 2017) 02.10.2014 UNICEF Twitter O SEA Posting of false information (Bertram, account 2017) 27.11.2014 Gigya comment system M/O SEA Disruption to the proper functioning of hundreds of websites (Brinded, 2014) 11.2014 Citizen journalists M Allegedly ISIS Spear phishing and malware (Scott-Railton posting on the website and Hardy, 2014) Raqqah Is Being Slaughtered Silently 16.12.2014 International Business M SEA Hack and defacement (Gold, 2015) Times website 2015 Opposition forces A Syrian The Syrian government developed and Government used an internet surveillance tool using the malware Backdoor.breut (Zaluski, 2016) 01.2015 US Central Command S Cyber Caliphate Defacement (Coffey, 2015) YouTube and Twitter (ISIS) accounts 21.01.2015 Le Monde website M SEA DDoS (Warren and Leitch, 2016) 10.02.2015 International Business M Cyber Caliphate Defacement (Gold, 2015) Times website (ISIS)

26 The use of cybertools in an internationalized civil war context: Cyber activities in the Syrian conflict

Date Victim Type of Alleged Technique/Tool victim perpetrator 10.02.2015 Newsweek Twitter M Cyber Caliphate Defacement and posting of false account and a (ISIS) information (Mosendz, 2015) subsidiary Newsweek Tumblr website 12.02.2015 Syrian Observatory for O SEA Defacement (Bertram, 2017) Human Rights Facebook page 30.03.2015 Endurance O SEA Hack (Bertram, 2017) International Group INC (a world-leading web hosting service) 13.04.2015 Australian airport O ISIS Defacement website 14.05.2015 Washington Post M SEA Defacement (Bertram, 2017) 08.06.2015 US Army website S SEA Defacement (Weise, 2015) 10.2015 Opposition forces A Group5, Spear phishing campaign to lure opposition possible links members into downloading malicious with Iran documents and visiting malicious websites (Scott-Railton et al., 2016) 08.11.2015 54’000 Twitter O Cyber Caliphate Posting of pro-ISIS messages, publication accounts (mostly based (ISIS) of account passwords and phone numbers in Saudi Arabia) of the directors of the US Central Intelligence Agency, the FBI and the US National Security Agency (Bhutia, 2015)

27 The use of cybertools in an internationalized civil war context: Cyber activities in the Syrian conflict

7 Annex 2

Table of cyberattacks detailing the actors, their targets, the types of attacks used, infection methods used and malware families used in the context of the Syrian conflict.

X = Targets or uses, - = Does not target or does not use, ? = possibly targets or possibly uses Targets Types of cyberattacks Delivery means Malware families

17

) forces ations

groups

drive,

groups

-

USB

states organiz

y y e.g.

part part

- - government government - - Syrian government Pro Anti Islamist groups Third Third Media Defacement DDoS RAT malware breach/Leak Data Watering hole Phishing/spear phishing Website vulnerabilities Others ( njRAT XtremeRAT BlackWorm DarkComet RAT Backdoor.breut Android malware families malware Other Propaganda and misinformation and Propaganda

Actors Syrian government - - X - - - - X - X X - X - - X X - - - X - - SEA - - X - X X X X X X X - - X X - X X - X - - - SMT - - X ------X ------X - - - - government -

ro EDNF - - X - - - - X X - - - X X ------p Pro-government - - X ------X ------X - X - groups and

Lebanese group Group5 - - X ------X - X X - - X - - - - X X Government sympathizers/ - - ? - - - - X ------? ------

Government patriotic hackers

FSA X X - - - - X ------

SCR X X ------HSR X ? ------X ------groups government - Anti-government X X - - - - - X ------Anti sympathizers/activists

ISIS/Cyber Caliphate - - X - X X - X X X - - - X X ------? Jabhat al-Nusra X X ? - - ? - - X - X X - X - - - X - - - - - Ahrar al-Sham X X X ? - - - - ? ------

Islamist groups Islamist sympathizers - - - - X - - X X - - - - - X ------

USA ?18 - - ? ------Russia - - X - - X - X - - X - - X ------X

Turkey ------Iran - - X ------X - - X ------X actors Israel ------

State Saudi ------United Arabic ------Emirates Qatar ------

- Anonymous X X - X X - - - X X - X ------X Non

aligned Oliver Tucket X ------X - - X - - ? ? ------

17 Includes the malware: NanoCore, ShadowTech RAT, BlackShades RAT (= Shades RAT) and the “beacon malware”. 18 USA considered using cyber capabilities against the Syrian regime (Sanger, 2014).

28 The use of cybertools in an internationalized civil war context: Cyber activities in the Syrian conflict

perceive to be enemies of their country (Denning, 2011, p. 178). 8 Glossary Phishing: Technique used to trick a message recipient into disclosing confidential information such as Backdoor: Part of a software code allowing hackers to login credentials by disguising messages to remotely access a computer without the user’s suggest that they originate from a legitimate knowledge (Ghernaouti-Hélie, 2013, p. 426). organization (Ghernaouti-Hélie, 2013, p. 437). Botnet: Network of infected computers which can be Remote Administration or Access Tool (RAT): Software accessed remotely and controlled centrally in granting remote access and control to a order to launch coordinated attacks (Ghernaouti- computer without having physical access to it. Hélie, 2013, p. 427). RAT can be legitimate software, but also Command and Control (C&C): A server through which malicious (Siciliano, 2015). the person controlling malware communicates Script kiddies: Attackers who use cybertools that have with it in order to send commands and retrieve been developed by more experienced and data (QinetiQ Ltd, 2014, p. 2). sophisticated hackers. Their main motive is to Data breach: Event in which information of a sensitive gain attention (PCtools, 2016). nature is stolen from a network without the Sender Policy Framework (SPF): Technical system users’ knowledge (TrendMicro, 2017). validating email senders as coming from an Digital gateway: A hardware device that enables traffic authenticated connection in order to prevent to flow in and out of two networks by connecting email spoofing (Openspf, 2010). them (TechTerms, 2015). Spamming: Messages, comments or posts sent in large Distributed Denial of Service (DDoS): Act of quantities via email or on social media overwhelming a system with a large number of (Ghernaouti-Hélie, 2013, p. 440). packets through the simultaneous use of infected Spear phishing: A sophisticated phishing technique that computers (Ghernaouti-Hélie, 2013, p. 431). not only imitates legitimate webpages, but also Domain Name Service (DNS): The address structure that selects potential targets and adapts malicious translates Internet Protocol addresses into a emails to them. Emails often look like they come string of letters that is easier to remember and from a colleague or a legitimate company use (Internet Corporation For Assigned Names (Ghernaouti-Hélie, 2013, p. 440). and Numbers, 2016). SQL Injection: A cyberattack technique in which Domain Name System (DNS) hijacking: A form of website malicious code is injected into an entry field for defacement also referred to as DNS redirection, execution and is executed by an SQL database where a malicious attacker obtains unauthorized (Microsoft, 2016). access to victims’ computers and changes their Trojan horse: Malware hidden in a legitimate program in DNS settings to another DNS server, which order to infect a system and hijack it (Ghernaouti- redirects victims to malicious websites (Srikanth, Hélie, 2013, p. 441). 2017). Troll: A person submitting provocative statements or Firewall: Software for controlling and possibly blocking articles to an internet discussion in order to incoming and outgoing traffic in and from a create discord and drag more people into it network or personal computer (PCmag, 2016a). (Williams, 2012). Hack: Act of entering a system without authorization Two-factor authentication: A login procedure that (Ghernaouti-Hélie, 2013, p. 433). involves two out of the following three elements: Hacktivism: Use of hacking techniques for political or something the user knows (e.g. password), social activism (Ghernaouti-Hélie, 2013, p. 433) something the user has (e.g. card), and Internet Protocol (IP) address: A numerical address something the user is (e.g. biometric) (Rosenblatt assigned to each device that uses the internet and Cipriani, 2015). communications protocol, allowing computers to Virtual Private Network (VPN): Private network within a communicate with one another (Internet public network that uses encryption to remain Corporation For Assigned Names and Numbers, private (PCmag, 2016b). 2016). Watering hole attacks: Attack where a legitimate Malware: Malicious software that can take the form of a website is injected with malicious code that virus, a worm or a Trojan horse (Collins and redirects users to a compromised website which McCombie, 2012, p. 81). infects users accessing it (TechTarget, 2015). Patriotic hacking: Sometimes also referred to as Website defacement: Cyberattack replacing website nationalistic hacking. A group of individuals pages or elements by other pages or elements originating from a specific state engage in (Ghernaouti-Hélie, 2013, p. 442). cyberattacks in defense against actors that they

29

The use of cybertools in an internationalized civil war context: Cyber activities in the Syrian conflict

9 Abbreviations VPN Virtual Private Network

C&C Command and Control

DDoS Distributed Denial of Service

DNS Domain Name System

Electronic National Defense Forces (Pro- ENDF government group)

EU European Union

FBI US Federal Bureau of Investigation

Free Syrian Army (Anti-government FSA group) Hackers of the Syrian Revolution (Anti- HSR government group)

IP Internet Protocol

IRGC Islamic Revolutionary Guard Corps (Iran)

Islamic State of Iraq and the Levant ISIS (Islamist group) Jabhat al-Nusra Electronic Army (Islamist JNEA group)

NGO Non-Governmental Organization

RAT Remote Access/Administration Tool

The Supreme Council of the Revolution SCR (Anti-government group)

SCS Syrian Computer Society

The Supreme Council of the Syrian SCSR Revolution (Anti-government group) Syrian Electronic Army (Pro-government SEA group) Syrian Malware Team (Pro-government SMT group) The Syrian National Council (Anti- SNC government coalition)

SPF Sender Policy Framework

Syrian Telecommunications STE Establishment

UN United Nations

30 The use of cybertools in an internationalized civil war context: Cyber activities in the Syrian conflict

10 Bibliography Bennett-Smith, M., 2012. Anonymous Declares War On Syrian Government Websites In Retaliation For Ahmad, M. al-Makki, 2012. How I Hacked Assad’s E- Internet Blackout [WWW Document]. Mail [WWW Document]. Al-Monit. URL Huffington Post. URL http://www.al- http://www.huffingtonpost.com/2012/11/30/ monitor.com/pulse/politics/2012/09/how-i- anonymous-declares-war-syrian-government- hacked-assads-emails.html (accessed 17.3.17). websites_n_2218447.html (accessed 20.4.17). Al Jazeera, 2017. Syria’s Civil War Explained [WWW Berger, J.M., 2014. How ISIS Games Twitter [WWW Document]. Al Jazeera. URL Document]. The Atlantic. URL http://www.aljazeera.com/news/2016/05/syri https://www.theatlantic.com/international/ar a-civil-war-explained-160505084119966.html chive/2014/06/isis-iraq-twitter-social-media- (accessed 20.3.17). strategy/372856/ (accessed 18.4.17). Al-Rawi, A.K., 2014. Cyber warriors in the Middle East: Bertram, S.K., 2017. “Close enough” – The link between The case of the Syrian Electronic Army. Public the Syrian Electronic Army and the Bashar al- Relat. Rev. 40, 420–428. Assad regime, and implications for the future doi:10.1016/j.pubrev.2014.04.005 development of nation-state cyber counter- Apps, P., 2012. Syria Crisis: Cyber War And insurgency strategies. J. Terror. Res. 8, 2. Disinformation Growing In Conflict [WWW doi:10.15664/jtr.1294 Document]. Huffington Post. URL Bhutia, J., 2015. Isis “Cyber Caliphate” hacks more than http://www.huffingtonpost.com/2012/08/07/ 54,000 Twitter accounts [WWW Document]. syria-cyber-war_n_1750724.html (accessed Int. Bus. Times. URL 15.2.17). http://www.ibtimes.co.uk/isis-cyber- Associated Press, 2011. Syria nuclear weapons site caliphate-hacks-more-54000-twitter-accounts- revealed by UN investigators [WWW 1527821 (accessed 20.3.17). Document]. The Guardian. URL Blight, G., Pulham, S., Torpey, P., 2012. Arab spring: an https://www.theguardian.com/world/2011/n interactive timeline of Middle East protests ov/01/syria-nuclear-arms-site-revealed [WWW Document]. The Guardian. URL (accessed 24.2.17). https://www.theguardian.com/world/interacti BBC News, 2017a. Syria profile - Timeline [WWW ve/2011/mar/22/middle-east-protest- Document]. BBC News. URL interactive-timeline (accessed 24.2.17). http://www.bbc.com/news/world-middle- Booth, R., Mahmood, M., Harding, L., 2012. Exclusive: east-14703995 (accessed 8.2.17). secret Assad emails lift lid on life of leader’s BBC News, 2017b. Turkey “ends” Euphrates Shield inner circle [WWW Document]. The Guardian. campaign in Syria [WWW Document]. BBC URL News. URL http://www.bbc.com/news/world- https://www.theguardian.com/world/2012/m middle-east-39439593 (accessed 31.3.17). ar/14/assad-emails-lift-lid-inner-circle BBC News, 2017c. Syria peace talks: Sides fail to meet (accessed 17.3.17). on first day in Geneva [WWW Document]. BBC Bouckaert, P., 2013. Dispatches: Yes, it was Sarin, UN News. URL http://www.bbc.com/news/world- Report Says. Now What? [WWW Document]. middle-east-39037609 (accessed 2.3.17). Hum. Rights Watch. URL BBC News, 2016. Syria: The story of the conflict [WWW https://www.hrw.org/news/2013/09/16/dispa Document]. BBC News. URL tches-yes-it-was-sarin-un-report-says-now- http://www.bbc.com/news/world-middle- what (accessed 24.2.17). east-26116868 (accessed 24.2.17). Bowcott, O., 2017. Social media firms must face heavy BBC News, 2015. Turkey’s downing of Russian warplane fines over extremist content – MPs [WWW - what we know [WWW Document]. BBC Document]. The Guardian. URL News. URL http://www.bbc.com/news/world- https://www.theguardian.com/media/2017/m middle-east-34912581 (accessed 4.10.17). ay/01/social-media-firms-should-be-fined-for- BBC News, 2013. Guide to the Syrian rebels [WWW extremist-content-say-mps-google-youtube- Document]. BBC News. URL facebook (accessed 3.5.17). http://www.bbc.com/news/world-middle- Brinded, L., 2014. Syrian Electronic Army Causes east-24403003 (accessed 22.3.17). Internet Chaos By Shutting Down Media BBC News, 2012. UN envoy calls for transitional Outlets via Gigya Platform Hack [WWW government in Syria [WWW Document]. BBC Document]. Int. Bus. Times. URL News. URL http://www.bbc.com/news/world- http://www.ibtimes.co.uk/syrian-electronic- middle-east-18650775 (accessed 24.2.17). army-causes-internet-chaos-by-shutting- down-media-outlets-1476948 (accessed 6.3.17).

31 The use of cybertools in an internationalized civil war context: Cyber activities in the Syrian conflict

Calpito, D., 2015. Anonymous’ Total War On ISIS More Gady, F.-S., 2013a. Syria: Preparing for the Cyber Threat Harmful Than Helpful, Warns Experts [WWW [WWW Document]. Natl. Interest. URL Document]. Tech Times. URL http://nationalinterest.org/commentary/syria- http://www.techtimes.com/articles/109489/2 preparing-the-cyber-threat-8997 (accessed 0151124/anonymous-total-war-on-isis-more- 9.3.17). harmful-than-helpful-warns-experts.htm Gady, F.-S., 2013b. What Would Cyber-War With Syria (accessed 20.4.17). Look Like? [WWW Document]. US News. URL Chuck, E., 2013. GlobalPost hacked by Syrian Electronic https://www.usnews.com/opinion/blogs/worl Army [WWW Document]. NBC News. URL d-report/2013/09/13/what-the-spanish-civil- http://www.nbcnews.com/news/other/global war-tells-us-about-syria-and-cyber-attacks post-hacked-syrian-electronic-army- (accessed 9.3.17). f8C11320008 (accessed 6.3.17). Gallagher, S., 2013. Network Solutions seizes over 700 Chulov, M., 2012. Syria shuts off internet access across domains registered to Syrians [WWW the country [WWW Document]. The Guardian. Document]. Ars Tech. URL URL https://arstechnica.com/tech- https://www.theguardian.com/world/2012/n policy/2013/05/network-solutions-seized- ov/29/syria-blocks-internet (accessed over-700-domains-registered-to-syrians/ 24.2.17). (accessed 3.4.17). Cimpanu, C., 2016. Syrian Electronic Army Hacker Galperin, E., Marquis-Boire, M., 2012. The Internet is Pleads Guilty to Online Extortion Charges Back in Syria and So is Malware Targeting [WWW Document]. Softpedia. URL Syrian Activists [WWW Document]. Electron. http://news.softpedia.com/news/syrian- Front. Found. URL electronic-army-hacker-pleads-guilty-to- https://www.eff.org/deeplinks/2012/12/iinter online-extortion-charges-508804.shtml net-back-in-syria-so-is-malware (accessed (accessed 13.2.17). 21.2.17). Clarke, C.P., 2016. Al Nusra Is Stronger Than Ever Galperin, E., Marquis-Boire, M., Scott-Railton, J., 2013. [WWW Document]. RAND Corp. URL Quantum of Surveillance: Familiar Actors and http://www.rand.org/blog/2016/11/al-nusra- Possible False Flags in Syrian Malware is-stronger-than-ever.html (accessed 19.4.17). Campaigns. Electronic Frontier Foundation. Coffey, L., 2015. Syria’s online battlefield [WWW Geers, K., Alqartah, A., 2013. Syrian Electronic Army Document]. Al Jazeera. URL Hacks Major Communications Websites http://www.aljazeera.com/indepth/opinion/2 [WWW Document]. FireEye. URL 015/06/syria-online-battlefield- https://www.fireeye.com/blog/threat- 150617072048625.html (accessed 13.2.17). research/2013/07/syrian-electronic-army- Collins, S., McCombie, S., 2012. Stuxnet: the emergence hacks-major-communications-websites.html of a new cyber weapon and its implications. J. (accessed 21.2.17). Polic. Intell. Count. Terror. 7, 80–91. Ghernaouti-Hélie, S., 2013. Cyberpower: crime, conflict doi:10.1080/18335330.2012.653198 and security in cyberspace, 1. ed. ed, Forensic Coughlan, S., 2011. Harvard website hacked by Syria sciences. EPFL Press, Lausanne. protesters [WWW Document]. BBC News. URL Gold, H., 2015. Newsweek’s Twitter account hacked http://www.bbc.com/news/education- [WWW Document]. PoliticoMagazine. URL 15061377 (accessed 13.2.17). http://www.politico.com/blogs/media/2015/0 Deegan, A., Khalid, Y., Kingue, M., Taboada, A., 2017. 2/newsweeks-twitter-account-hacked-202380 Cyber-ia: The Ethical Considerations Behind (accessed 16.2.17). Syria’s Cyber-War. Small Wars J. Graham-Harrison, E., 2017. Assad says Syria chemical Denning, D.E., 2011. Cyber Conflict as an Emergent attack that killed dozens is “fabrication” Social Phenomenon, in: Corporate Hacking and [WWW Document]. The Guardian. URL Technology-Driven Crime: Social Dynamics and https://www.theguardian.com/world/2017/ap Implications. Holt and Schell, pp. 170–186. r/13/assad-says-syria-chemical-attack-khan- Duggan, P.M., 2015. Strategic Development of Special sheikhun-fabrication (accessed 18.4.17). Warfare in Cyberspace. Jt. Force Q. 79, 46–53. Graham-Harrison, E., 2015. Could Isis’s “cyber Fisher, M., Keller, J., 2011. Syria’s Digital Counter- caliphate” unleash a deadly attack on key Revolutionaries [WWW Document]. The targets? [WWW Document]. The Guardian. Atlantic. URL URL https://www.theatlantic.com/international/ar https://www.theguardian.com/world/2015/ap chive/2011/08/syrias-digital-counter- r/12/isis-cyber-caliphate-hacking-technology- revolutionaries/244382/ (accessed 8.2.17). arms-race (accessed 13.4.17).

32 The use of cybertools in an internationalized civil war context: Cyber activities in the Syrian conflict

Grohe, E., 2015. The Cyber Dimensions of the Syrian account-hacked-by-syrian-electronic-army/ Civil War: Implications for Future Conflict. (accessed 16.2.17). Comp. Strategy 34, 133–148. Khalek, R., 2016. U.S. and EU sanctions are punishing doi:10.1080/01495933.2015.1017342 ordinary Syrians and crippling aid work, U.N. Gurcan, M., 2016. Is the Islamic State planning a cyber- Report reveals [WWW Document]. The caliphate? [WWW Document]. Al-Monit. URL Intercept. URL http://www.al- https://theintercept.com/2016/09/28/u-s- monitor.com/pulse/originals/2016/07/turkey- sanctions-are-punishing-ordinary-syrians-and- syria-isis-cyber-space-turkish-content.html crippling-aid-work-u-n-report-reveals/ (accessed 4.4.17). (accessed 2.5.17). Haid, H., 2016. How Syrians View Nusra’s Split from al- Klion, D., 2016. The US-Russia discord will be an ugly Qaeda [WWW Document]. Atl. Counc. URL fact for the next President [WWW Document]. http://www.atlanticcouncil.org/blogs/syriasou The Guardian. URL rce/how-syrians-view-nusra-s-split-from-al- https://www.theguardian.com/commentisfree qaeda (accessed 19.4.17). /2016/oct/09/us-russia-discord-weight-on- Hamill, J., 2014. Anonymous Hacktivists Prepare For the-next-president-hacking-dnc-election Strike Against ISIS “Supporters” [WWW (accessed 24.10.16). Document]. Forbes. URL Kobrak, M., 2017. Syrian electronic army highly likely https://www.forbes.com/sites/jasperhamill/2 disbanded in 2016 [WWW Document]. Intell. 014/06/27/anonymous-hacktivists-prepare- Obs. URL for-strike-against-isis- https://intelligenceobserver.com/2017/02/26/ supporters/#34af16bb3d7e (accessed syrian-electronic-army-highly-likely- 20.4.17). disbanded-in-2016/ (accessed 3.4.17). Harris, S., 2013. How did the Syrian Electronic Army Lee, B., 2016. The Impact of Cyber Capabilities in the suddenly get so good? [WWW Document]. Syrian Civil War. Small Wars J. Syd. Morning Her. URL Liu, Y., 2017. Backdoor.Breut [WWW Document]. http://www.smh.com.au/it-pro/security- Symantec Secur. Response. URL it/how-did-the-syrian-electronic-army- https://www.symantec.com/security_respons suddenly-get-so-good-20130905-hv1m8.html e/writeup.jsp?docid=2012-021012-3004-99 (accessed 13.2.17). (accessed 25.4.17). Hopkins, N., Harding, L., 2013. Pro-Assad Syrian hackers Luhn, A., 2016. Russian media could almost be covering launching cyber-attacks on western media a different war in Syria [WWW Document]. [WWW Document]. The Guardian. URL The Guardian. URL https://www.theguardian.com/world/2013/ap https://www.theguardian.com/world/2016/oc r/29/assad-syrian-hackers-cyber-attacks t/03/russia-media-coverage-syria-war- (accessed 3.3.17). selective-defensive-kremlin (accessed 2.5.17). Internet Corporation For Assigned Names and Lund, A., 2015. Who Are the Pro-Assad Militias? [WWW Numbers, 2016. Glossary [WWW Document]. Document]. Carnegie Middle East Cent. URL ICANN. URL http://carnegie-mec.org/diwan/59215 https://www.icann.org/resources/pages/gloss (accessed 24.3.17). ary-2014-02-03-en#i (accessed 4.11.16). Manning, J.W., Grubb, B., 2013. New York Times hack Jones, S., 2016. Russia steps up Syria cyber assault linked to Australian internet company, Syrian [WWW Document]. Financ. Times. URL Electronic Army fingered [WWW Document]. https://www.ft.com/content/1e97a43e-d726- Syd. Morning Her. URL 11e5-829b-8564e7528e54 (accessed 2.5.17). http://www.smh.com.au/it-pro/security- Kaspersky Lab, 2014. Syrian Malware, the ever-evolving it/new-york-times-hack-linked-to-australian- threat (No. 1.0). Kaspersky Lab HQ. internet-company-syrian-electronic-army- Kenig, R., 2013. How Much Can a DDoS Attack Cost fingered-20130827-hv1jc (accessed 13.2.17). Your Business? [WWW Document]. Radware McElroy, D., Vahdat, A., 2013. Iranian cyber warfare Blog. URL commander shot dead in suspected https://blog.radware.com/security/2013/05/h assassination [WWW Document]. The ow-much-can-a-ddos-attack-cost-your- Telegraph. URL business/ (accessed 23.1.17). http://www.telegraph.co.uk/news/worldnews Kerr, D., 2013. Onion’s Twitter account hacked by /middleeast/iran/10350285/Iranian-cyber- Syrian Electronic Army [WWW Document]. warfare-commander-shot-dead-in-suspected- CNet. URL assassination.html (accessed 9.3.17). https://www.cnet.com/news/onions-twitter- Messieh, N., 2012. Hackers take down official LinkedIn blog for “spreading lies about Syria” [WWW

33 The use of cybertools in an internationalized civil war context: Cyber activities in the Syrian conflict

Document]. Web. URL http://thesigers.com/analysis/2013/7/29/cybe https://thenextweb.com/me/2012/04/26/hac r-attacks-in-the-middle-east.html (accessed kers-take-down-official-linkedin-blog-for- 13.2.17). spreading-lies-about-syria/ (accessed 13.2.17). Paul, C., Matthews, M., 2016. The Russian “Firehose of Microsoft, 2016. SQL Injection [WWW Document]. Falsehood” Propaganda Model: Why It Might Microsoft TechNet. URL Work and Options to Counter It (No. PE-198- https://technet.microsoft.com/en- OSD), Perspectives. RAND Corporation, Santa us/library/ms161953(v=SQL.105).aspx Monica, CA. (accessed 29.11.16). Payet, L., 2014. NanoCore: Another RAT tries to make it Mosendz, P., 2015. Newsweek Twitter Account Hacked out of the gutter [WWW Document]. By Group Claiming ISIS Affiliation [WWW Symantec Secur. Response. URL Document]. Newsweek. URL https://www.symantec.com/connect/blogs/na http://europe.newsweek.com/newsweek- nocore-another-rat-tries-make-it-out-gutter twitter-account-hacked-isis-affiliated-group- (accessed 25.4.17). 305897?rm=eu (accessed 6.3.17). PCmag, 2016a. Definition of: firewall [WWW Murgia, M., 2015. Could cyberattack on Turkey be a Document]. PCmag. URL Russian retaliation? [WWW Document]. The http://www.pcmag.com/encyclopedia/term/4 Telegraph. URL 3218/firewall (accessed 25.4.17). http://www.telegraph.co.uk/technology/inter PCmag, 2016b. Definition of: virtual private network net-security/12057478/Could-cyberattack-on- [WWW Document]. PCmag. URL Turkey-be-a-Russian-retaliation.html http://www.pcmag.com/encyclopedia/term/5 (accessed 4.10.17). 3942/virtual-private-network (accessed New Jersey Cybersecurity & Communications 25.4.17). Integration Cell, 2017. NJRat [WWW PCtools, 2016. What is a Script Kiddie? [WWW Document]. NJ Cybersecurity. URL Document]. PCtools Symantec. URL https://www.cyber.nj.gov/threat- http://www.pctools.com/security- profiles/trojan-variants/njrat (accessed news/script-kiddie/ (accessed 20.3.17). 25.4.17). Peterson, A., 2013. Here’s how one hacker is waging New Jersey Cybersecurity & Communications war on the Syrian government [WWW Integration Cell, 2016. DarkComet [WWW Document]. Wash. Post. URL Document]. NJ Cybersecurity. URL https://www.washingtonpost.com/news/the- https://www.cyber.nj.gov/threat- switch/wp/2013/08/28/heres-how-one- profiles/trojan- hacker-is-waging-war-on-the-syrian- variants/darkcomet?rq=darkcomet (accessed government/?utm_term=.01464aa473c7 25.4.17). (accessed 20.4.17). Noman, H., 2011. The Emergence of Open and QinetiQ Ltd, 2014. Command & Control: Organized Pro-Government Cyber Attacks in Understanding, denying, detecting. QinetiQ the Middle East: The Case of the Syrian Ltd. Electronic Army [WWW Document]. OpenNet Regalado, D., Villeneuve, N., Scott-Railton, J., 2015. Initiat. URL https://opennet.net/emergence- Behind the Syrian conflict’s digital front lines, open-and-organized-pro-government-cyber- Special Report. FireEye Inc., Milpitas, CA. attacks-middle-east-case-syrian-electronic- Reuters, 2017. Russia and China veto UN resolution to army (accessed 14.2.17). impose sanctions on Syria [WWW Document]. NSFocus Inc., 2016. Distributed Denial-of-Service The Guardian. URL (DDoS) Attacks: An Economic Perspective https://www.theguardian.com/world/2017/m (Whitepaper). NSFocus Inc., Santa Clara, CA. ar/01/russia-and-china-veto-un-resolution-to- OpenNet Initiative, InfoWar Monitor, 2011. Syrian impose-sanctions-on-syria (accessed 31.3.17). Electronic Army: Disruptive Attacks and Hyped Reuters, 2016. Russia Withdraws Backing for Targets [WWW Document]. OpenNet Initiat. International Criminal Court Treaty [WWW URL https://opennet.net/syrian-electronic- Document]. N. Y. Times. URL army-disruptive-attacks-and-hyped-targets http://www.nytimes.com/reuters/2016/11/16 (accessed 14.2.17). /world/europe/16reuters-russia-icc- Openspf, 2010. Sender Policy Framework [WWW withdrawal.html?ref=world&_r=0 (accessed Document]. Send. Policy Framew. URL 22.11.16). http://www.openspf.org/Introduction Rosenblatt, S., 2015. US military social-media accounts (accessed 3.1.17). hacked [WWW Document]. CNet. URL Pattar, T., 2013. Cyber attacks in the Middle East https://www.cnet.com/news/us-military- [WWW Document]. Thesigers. URL

34 The use of cybertools in an internationalized civil war context: Cyber activities in the Syrian conflict

social-media-accounts-hit-with-hacking- https://securingtomorrow.mcafee.com/consu attack/ (accessed 16.2.17). mer/identity-protection/what-is-rat/ Rosenblatt, S., Cipriani, J., 2015. Two-factor (accessed 4.11.16). authentication: What you need to know (FAQ) Srikanth, R., 2017. DNS Hijacking: What is it and How it [WWW Document]. CNet. URL Works [WWW Document]. GoHacking. URL https://www.cnet.com/news/two-factor- https://www.gohacking.com/dns-hijacking/ authentication-what-you-need-to-know-faq/ (accessed 2.3.17). (accessed 14.12.16). Stanford University, 2017. Ahrar al-Sham [WWW Ruhfus, J., 2015. Syria’s Electronic Armies [WWW Document]. Stanf. Univ. URL Document]. Al Jazeera. URL http://web.stanford.edu/group/mappingmilita http://www.aljazeera.com/programmes/peopl nts/cgi-bin/groups/view/523 (accessed eandpower/2015/06/syria-electronic-armies- 23.3.17). 150617151503360.html (accessed 13.2.17). Steier, H., 2013. Wie die Syrian Electronic Army angriff Sanger, D.E., 2014. Syria War Stirs New U.S. Debate on [WWW Document]. Neue Zür. Ztg. URL Cyberattacks [WWW Document]. N. Y. Times. https://www.nzz.ch/digital/syrian-electronic- URL army-sea-twitter-new-york-times-1.18140391 https://www.nytimes.com/2014/02/25/world (accessed 13.2.17). /middleeast/obama-worried-about-effects-of- Syrian Network for Human Rights, 2013. Syrian security waging-cyberwar-in-syria.html (accessed branches and Persons in charge. Syrian 15.2.17). Network For Human Rights. Scott-Railton, J., 2014. Maliciously Repackaged Psiphon Tam, D., 2013. “Syrian Electronic Army” hacks a BBC Found [WWW Document]. Citiz. Lab. URL Twitter account [WWW Document]. CNet. URL https://citizenlab.org/2014/03/maliciously- https://www.cnet.com/news/syrian- repackaged-psiphon/ (accessed 21.2.17). electronic-army-hacks-a-bbc-twitter-account/ Scott-Railton, J., Abdulrazzak, B., Hulcoop, A., Brooks, (accessed 13.2.17). M., Kleemola, K., 2016. Group5: Syria and the Taylor, A., 2013. Syrian Hackers Take Over Daily Iranian Connection [WWW Document]. Citiz. Telegraph Twitter Accounts [WWW Lab. URL Document]. Bus. Insid. URL https://citizenlab.org/2016/08/group5-syria/ http://www.businessinsider.com/telegraph- (accessed 14.2.17). twitter-hacked-by-sea-2013-5?IR=T (accessed Scott-Railton, J., Hardy, S., 2014. Malware Attack 6.3.17). Targeting Syrian ISIS Critics [WWW TechTarget, 2015. watering hole attack [WWW Document]. Citiz. Lab. URL Document]. TechTarget. URL https://citizenlab.org/2014/12/malware- http://searchsecurity.techtarget.com/definitio attack-targeting-syrian-isis-critics/ (accessed n/watering-hole-attack (accessed 29.11.16). 20.2.17). TechTerms, 2015. Gateway [WWW Document]. Scott-Railton, J., Marquis-Boire, M., 2013. A Call to TechTerms. URL Harm: New Malware Attacks Target the Syrian https://techterms.com/definition/gateway Opposition [WWW Document]. Citiz. Lab. URL (accessed 2.5.17). https://citizenlab.org/2013/06/a-call-to-harm/ TrendMicro, 2017. Definition [WWW Document]. (accessed 21.2.17). TrendMicro. URL SecDev Foundation, 2013a. Flash Note Syria: Syria’s http://www.trendmicro.com/vinfo/us/security National Defence Forces Take The Battle to /definition/data-breach (accessed 17.1.17). Cyberspace. Villeneuve, N., Bennett, J.T., 2014. XtremeRAT: SecDev Foundation, 2013b. Flash Note Syria: Syrian Nuisance or Threat? [WWW Document]. Hacker Wars. FireEye. URL Shaheen, K., Torpey, P., Gutièrrez, P., Levett, C., 2015. https://www.fireeye.com/blog/threat- Who backs whom in the Syrian conflict [WWW research/2014/02/xtremerat-nuisance-or- Document]. The Guardian. URL threat.html (accessed 25.4.17). https://www.theguardian.com/world/ng- Walker, S., Shaheen, K., Chulov, M., Wintour, P., 2016. interactive/2015/oct/09/who-backs-whom-in- Russian ambassador to Turkey shot dead by the-syrian-conflict (accessed 20.3.17). police officer in Ankara gallery [WWW Siboni, G., Cohen, D., Koren, T., 2015. The Islamic Document]. The Guardian. URL State’s Strategy in Cyberspace. Mil. Strateg. https://www.theguardian.com/world/2016/de Aff. 7, 127–144. c/19/russian-ambassador-to-turkey-wounded- Siciliano, R., 2015. What is a Remote Administration in-ankara-shooting-attack (accessed 31.3.17). Tool (RAT)? [WWW Document]. McAfee Blog. Warren, M., Leitch, S., 2016. The Syrian Electronic Army URL – a hacktivist group. J. Inf. Commun. Ethics

35 The use of cybertools in an internationalized civil war context: Cyber activities in the Syrian conflict

Soc. 14, 200–212. doi:10.1108/JICES-12-2015- isis-terror-has-gone-social-infographic/ 0042 (accessed 18.4.17). Weise, E., 2015. U.S. Army website hacked, Syrian group claims credit [WWW Document]. USA Today. URL http://www.usatoday.com/story/tech/2015/0 6/08/us-army-website-wwwarmymil-syrian- electronic-army-hack/28703173/ (accessed 6.3.17). Weiss, M., 2012. Syrian Opposition Targets the Regime Online [WWW Document]. Wash. Inst. URL http://www.washingtoninstitute.org/policy- analysis/view/syrian-opposition-targets-the- regime-online (accessed 20.3.17). Wilhoit, K., Haq, T., 2014. Connecting the Dots: Syrian Malware Team Uses BlackWorm for Attacks [WWW Document]. FireEye. URL https://www.fireeye.com/blog/threat- research/2014/08/connecting-the-dots-syrian- malware-team-uses-blackworm-for- attacks.html (accessed 21.2.17). Williams, L., 2011. Syria to set Facebook status to unbanned in gesture to people [WWW Document]. The Guardian. URL https://www.theguardian.com/world/2011/fe b/08/syria-facebook-unbanned-people (accessed 24.2.17). Wintour, P., Walker, S., 2016. Vladimir Putin orders Russian forces to begin withdrawal from Syria [WWW Document]. The Guardian. URL https://www.theguardian.com/world/2016/m ar/14/vladimir-putin-orders-withdrawal- russian-troops-syria (accessed 31.3.17). World Nuclear News, 2016. Russia withdraws from US nuclear cooperation [WWW Document]. World Nucl. News. URL http://www.world- nuclear-news.org/NP-Russia-withdraws-from- US-nuclear-cooperation-07101601.html (accessed 29.11.16). Wroughton, L., Winning, A., 2016. Syria talks in Lausanne end without breakthrough [WWW Document]. Reuters. URL http://www.reuters.com/article/us-mideast- crisis-syria-talks-idUSKBN12E2GQ (accessed 31.3.17). Zaluski, R., 2016. Syria’s Cyberwar [WWW Document]. Cent. Strateg. Cyberspace Secur. Sci. URL http://cscss.org/CS/2016/08/20/syrias- cyberwar/ (accessed 16.2.17). Zelin, A.Y., Lister, C., 2013. The crowning of the Syrian Islamic Front [WWW Document]. Foreign Policy. URL http://foreignpolicy.com/2013/06/24/the- crowning-of-the-syrian-islamic-front/ (accessed 23.3.17). ZeroFOX Team, 2015. ISIS: Terror Has Gone Social [WWW Document]. ZeroFOX. URL https://www.zerofox.com/blog/islamic-state-

36 The use of cybertools in an internationalized civil war context: Cyber activities in the Syrian conflict

37 The use of cybertools in an internationalized civil war context: Cyber activities in the Syrian conflict

38 The use of cybertools in an internationalized civil war context: Cyber activities in the Syrian conflict

39 The Center for Security Studies (CSS) at ETH Zurich is a center of competence for Swiss and international security policy. It offers security policy expertise in research, teaching and consulting. The CSS promotes understanding of security policy challenges as a contribution to a more peaceful world. Its work is independent, practice-relevant, and based on a sound academic footing.