Accessibility links

Cyberattack on Rights Group Likely Linked to Islamic State

A Canadian malware research team thinks the so-called Islamic State has conducted a cyberattack against a group documenting atrocities in Syria.

A Canadian malware research team thinks the so-called Islamic State has conducted a cyberattack against a group documenting atrocities in Syria.

The so-called Islamic State (IS) group has displayed prowess on the battlefield, sophistication in their propaganda and savvy use of social media and, according to a recent report, there is “plausible’ reason to believe the militant group may be branching into cyber warfare.

In late November, the group Raqqa Is Being Slaughtered Silently (RSS), which monitors human rights abuses by IS in the Syrian city of Ar-Raqqah, received an email from someone purporting to be representing a group of Syrians in Canada.

“Thank you for your efforts to deliver a true picture of the reality of life in Raqqah,” read the email, which was in Arabic. “As Syrians residing in Canada we are working with media because we believe in the importance of shedding light on the realities of life in Syria, and Raqqah in particular.”

The email contained a link to malware that “profiled the victim’s computer and beaconed its IP address to an e-mail account under the attacker’s control,” according to Citizen Lab, which has experience with Syrian malware groups.

While the cyberfront has been active throughout the Syrian conflict, mostly by the Bashar al-Assad regime, the malware attack on RSS was different in that it contained no Remote Access Trojan (RAT) functionality, meaning the goal was not to take over the target’s computer. RAT attacks have been the most common in the Syrian conflict.

“We think, based on our expertise, that we’re looking at a different and potentially new actor in the Syrian conflict,” said John Scott-Railton, a research fellow with the Citizen Lab, which is based at the University of Toronto's Munk School of Global Affairs. He is the co-author of the report about the malware.

“Our speculation is that it was about locating the target,” he said.

RSS would make a likely target, as the group has secretly leaked information about atrocities in the IS stronghold, puncturing the image of an idealized caliphate portrayed by IS through its propaganda.

According to Scott-Railton, the attack was not technically sophisticated, but showed “good” sophistication in its targeting.

He said the email was written in a way to try to gain the trust of the target, something he said is hard to do with these kinds of phishing attacks.

“They don’t get the tone right. It’s too urgent,” he said.

The report added that this kind of attack “would be especially useful to an adversary unsure of whether it can maintain uninterrupted Internet connectivity.”

It’s likely this will not be the only attempt.

“The entry costs for engaging in malware attacks in a conflict like the Syrian civil war are low, and made lower by the fact that the rule of law is non-existent for large parts of the country. In still other parts (under regime control), malware attacks appear to be state sanctioned,” wrote Scott-Railton and his co-author Seth Hardy in the report.

Luckily, RSS members did not click on the link and instead, the email made its way to Cyber-Arabs, a group that provides digital security training and resources to activists and journalists in the Middle East and North African region. They, in turn, enlisted the assistance of Citizen Lab.

RSS did not respond to questions on Twitter about what made them suspicious of the email.

While it’s not clear if this was the first salvo fired by IS on the cyberfront, Bahaa Nasr, a member of Cyber-Arabs, says online attacks play a very important role in the ongoing conflict.

While the perpetrators of this attack will likely never be identified with 100 percent certainty, there is no doubt that IS wants to control every aspect of life in the area it rules, including online.

According to Nasr, IS uses checkpoints to snoop through people’s cell phones and computers.

“People who get arrested or held up at checkpoints are forced to give up their passwords, to provide access to their computers and mobile phones and accounts,” he wrote. “We had many reports of IS looking at people’s Facebook accounts to see what they think and who their contacts are.”

And it’s not just IS. The al-Qaida affiliated militant group Jabhat al-Nusra does the same, wrote Nasr.

“People need to be really careful not to carry too much information with them when they move around, he wrote. “On the other hand, sometimes people are lucky and can trick them with their own means.

“One female activist put a picture of herself without hijab as wallpaper picture on her phone – and when the Islamists wanted to look at her phone, she said, ‘this is a private picture, haram, you cannot look at it’ – and they left her alone.”

There is some evidence IS could become more sophisticated in its attacks, as the group may have some experts among its ranks.

A British hacker, Junaid Hussain, who famously stole former British prime minister Tony Blair’s address book in 2012 is believed to have travelled to Syria to join IS.

While RSS appears to have avoided this malware, Scott-Railton warns that activist groups remain vulnerable.

“They’re targeted by threat actors that bring them extreme danger--mortal, physical danger,” he said. “Yet [activist groups] are comprehensively under resourced to counter this.”

Even officials in the U.S. government have warned about the potential cyber threat from groups like IS.

In September, National Security Agency Director Michael Rogers said the U.S. should strengthen its defenses against a possible cyber attack by terrorists.

“It’s something I’m watching,” he said at a cybersecurity conference in Washington, D.C. “We need to assume that there will be a cyber dimension increasingly in almost any scenario that we’re dealing with. Counterterrorism is no different.”

However, a former counterterrorism official with the U.S. Department of Defense told that IS was “not there yet” in terms of being able to launch an attack on U.S. infrastructure.