CSS CYBER DEFENSE PROJECT Hotspot Analysis The use of

Zürich, October 2017

Version 1

Risk and Resilience TeamCenter for Security Studies (CSS), ETH Zürich

Hotspot Analysis

The use of cybertools in an internationalized civil war context: Cyber activities in the Syrian conflict

CSS CYBER DEFENSE PROJECT


2

Authors: Marie Baezner, Patrice Robin © 2017 Center for Security Studies (CSS), ETH Zürich Contact: Center for Security Studies Haldeneggsteig 4 ETH Zürich CH-8092 Zürich Switzerland Tel.: +41-44-632 40 25 [email protected] www.css.ethz.ch Analysis prepared by: Center for Security Studies (CSS), ETH Zürich ETH-CSS project management: Tim Prior, Head of the Risk and Resilience Research Group; Myriam Dunn Cavelty, Deputy Head for Research and Teaching; Andreas Wenger, Director of the CSS Disclaimer: The opinions presented in this study exclusively reflect the authors’ views. Please cite as: Baezner, Marie; Robin, Patrice (2017): Hotspot Analysis: The use of cybertools in an internationalized civil war context: Cyber activities in the Syrian conflict, October 2017, Center for Security Studies (CSS), ETH Zürich.


3

Table of Contents 1 Introduction 5

2 Background and chronology 6

3 Description 9 3.1 Attribution and actors 9

Pro-government groups 9 Anti-government groups 11 Islamist groups 11 State actors 12 Non-aligned groups 13

3.2 Targets 13 3.3 Tools and techniques 14

Data breaches 14 Website defacement 14 DDoS 15 Malware 15

4 Effects 17 4.1 Social effects 17 4.2 Economic effects 18 4.3 Technological effects 18 4.4 International effects 19

5 Policy Consequences 20 5.1 Raising awareness of propaganda and

radicalization online 20 5.2 Incentivizing social media to better control

content 20 5.3 Improving cybersecurity 20 5.4 Monitoring the evolution of the conflict 20

6 Annex 1 22

7 Annex 2 28

8 Glossary 29

9 Abbreviations 30

10 Bibliography 31


4


Syria attracted considerable international

attention during the Arab Spring, when the government violently repressed protests. The demonstrations escalated into a civil war, which was simultaneously conducted in cyberspace. Pro-government, anti-government and Islamist groups fight each other online using cybertools such as website defacement, Distributed Denial of Service attacks and malware.

This report examines cyber activities in the context of the Syrian civil war. It also studies the impacts of cyberattacks on Syrian society, the economy, technology and at the international level.

The aim of this hotspot analysis is to develop a better understanding of the possible mechanisms of the

1 Technical terms written in italic are explained in a glossary in Section 8 at the end of the document.

use of cybertools in the context of conflicts. The goal is also to understand how victims handled and responded to attacks in order to learn from their experiences and be able to prepare for similar situations.

Description

During the Arab Spring, Syrian dissidents saw an

opportunity to claim more freedom. However, unlike in Tunisia and Egypt, their protests did not achieve the overthrow of the Syrian President Bashar al-Assad, but instead resulted in civil war. The various groups of actors involved in the war have used cyberspace not only to promote their ideologies, but also to target their enemies or enemies’ associates and partners with website defacement, Distributed Denial of Service attacks and spying malware delivered via spear phishing emails.

Effects

Effects of cyber activities conducted in the

context of the Syrian civil war have been observed at both the domestic Syrian level and at the international level. The effects on Syrian society were marked by propaganda campaigns on social media and a blurring of the distinction between combatants and non-combatants. Economic effects were felt through the direct and indirect costs of Distributed Denial of Service attacks and website defacements, but also due to the drop in the stock market value after a false message was posted on the hijacked Twitter account of Associated Press. Technological impacts were limited due to the low sophistication of the cyberattacks.

At the international level, the effects were mainly characterized by the international nature of both the victims and perpetrators of cyberattacks. Also, the conflict did not escalate in cyberspace and spill over into the physical realm. Cyberattacks remained of low intensity and focused mainly on harassment and espionage.

Consequences

The consequences that can be derived from the

context of the Syrian conflict in cyberspace mostly relate to increasing awareness of propaganda and radicalization on social media and incentivizing social media stakeholders to better control contents posted on their platforms. This report also recommends that state actors improve their cybersecurity through awareness-building campaigns and technological solutions. Finally, the analysis suggests that the development of the Syrian conflict and its actors both on the ground and in cyberspace should be closely monitored.

Targets: Government institutions and pro-government groups, anti-government groups excluding Islamist groups, Islamist groups, third-party states, third-party organizations, and media outlets.

Tools: Distributed Denial of Service1, website defacement, data breaches, misinformation, various freely available malware (e.g. DarkComet RAT, njRAT, XtremeRAT Backdoor.breut, BlackWorm, NanoCore, ShadowTech RAT DroidJack), a customized malware, a malicious Android application, spear phishing emails, fake social media login pages and fake websites with malicious links.

Effects: Propaganda and misinformation on social media and defaced websites, internationalization of the conflict through cyberspace, drop in stock market due to defacement, use of malware in support of ground operations.

Timeframe: From spring 2011 and still ongoing with a hot phase from 2011 to 2014.


5

1 Introduction During the Arab Spring in 2011, cyberspace

played a significant role in the development of anti-government protests and the spread of democratic ideas. In 2000, when Bashar al-Assad became Syria’s leader, only 0.2% of the Syrian population used computers. The number of users significantly increased to reach 22.5% in 2012 (Grohe, 2015). The growth of internet users in Syria and the start of the Arab Spring in Tunisia and Egypt emphasize the role of cyberspace in the Syrian conflict. The use of hotspots to evaluate each concrete case can support the theoretical and abstract concepts of cybersecurity. This hotspot analysis examines the cyber-dimension of the Syrian civil war. During the Arab Spring, it became evident that cyberspace was often used to organize protests and demonstrations against the Tunisian and Egyptian governments. This also occurred during protests in Syria, and relevant activities evolved into platforms for gaining domestic and international support for both the anti-government and the pro-government groups.

The study of this hotspot is relevant because it illustrates how the use of cyberspace evolved from a context of domestic unrest to civil war involving a variety of actors. This hotspot is also placed into the context of international tensions between local rival states and major powers such as the USA and Russia.

The aim of the analysis is to describe how victims of cyberattacks were affected and how they responded. This document will be updated as new elements are discovered or significant changes occur. The goal is to keep the document up to date with current issues and to stay as accurate as possible. This study will also be used in a future, broader report that will compare different hotspots and recommend measures to states on how to improve their policies if faced with similar situations.

The report will proceed as follows. Section 2 describes the historical background and chronology of the Syrian civil war. It summarizes the main events of the conflict as well as the various peace talks and cyberattacks that have occurred since 2011.

In Section 3, the report portrays the main actors in the Syrian conflict that are active in cyberspace, their targets and the tools and techniques they use. It demonstrates that the Syrian conflict is a highly complex environment with numerous actors sometimes using the same tools and techniques such as spear phishing2, website defacement or easily available Remote Access Tools (RAT)3.

2 Technical terms are explained in a glossary in Section 8 at the end of the document.

Section 4 studies the effects of the cyberattacks on Syrian society. These were characterized by propaganda on social media trying to discredit enemies, an internationalization of the conflict through activities conducted in cyberspace by sympathizers of either side to the conflict, and an increase in mistrust among members of anti-government groups targeted by impersonation of social media accounts. The second sub-section examines the economic effects of the cyberattacks. These can be summarized as the direct and indirect costs of Distributed Denial of Service (DDoS) and defacement attacks and by the stock market’s negative reaction to false information posted on the hijacked Twitter account of Associated Press. Sub-section 3 investigates the technological effects of cyberattacks carried out during the Syrian civil war. These technological impacts are identified as physical tampering with internet functionality by the Syrian government and the fact that cyberattacks were generally not sophisticated, relying on malware that is easily available online.

The last sub-section looks into the impacts of the cyberattacks at the international level. The analysis demonstrates that the cyberattacks taking place in the context of the Syrian conflict affected people and businesses internationally, but that perpetrators may also have originated from outside Syria. It also shows that the use of malware mainly focused on gathering information to support the battlefield and notes that Western states imposed international economic sanctions on Syria.

Finally, Section 5 provides a number of recommendations to state actors in order to decrease the risk of falling victim to similar cyberattacks. It describes how state actors can improve their cybersecurity and decrease the impact of propaganda by raising awareness and creating incentives for social media to better control contents. It also suggests that states should monitor the evolution of the Syrian conflict and its cyber-dimension in order to avoid being caught unaware by potential similar attacks in the future.

3 Abbreviations are listed in Section 9 at the end of the document.


6

2 Background and chronology Both the historical background and chronology of

Syrian politics, the Arab Spring and the Syrian civil war are important in understanding the context within which cyber activities unfolded throughout the conflict.

Syria’s Ba’athist government managed to remain in power for 40 years on a foundation of secularism and powerful repression of the opposition. With the Arab Spring, the opposition saw its opportunity to demand greater freedom and more democracy. President Assad was prepared for such a contingency and violently repressed the protests while surveilling internet and other communications. The country slipped into a civil war, which also took a religious turn. The conflict appears to have further evolved into a proxy war between Shias supported by Iran and Lebanon against Sunnis supported by Saudi Arabia, Turkey and Qatar. This international dimension is important in understanding the dynamics and evolution of the various international tensions and peace talks as well as the development of the war on the ground and in cyberspace. The latter evolved in parallel to the physical theater but has always remained at a rather low intensity. The bulk of relevant cyber activities consists of propaganda on social media, publicity gained through website defacement and some cyberespionage campaigns. After 2015, the amount of cyberattacks decreased to almost completely disappear, as international intervention against the Islamic State of Iraq and Syria (ISIS)4 and other developments shifted the numerous actors’ priorities away from cyberspace.

Rows colored in gray refer to cyber-related

incidents.

Date Event 03.1963 Hafez al-Assad, an Alawi (a Shia

branch of Islam) and father of Bashar al-Assad, is part of a group of Ba’athist army officers who take power in Syria.

02.1970 Hafez al-Assad, defense minister, overthrows the Syrian President.

10.1973 Syria goes to war against Israel with Egypt.

1994 Bassel al-Assad, elder brother of Bashar al-Assad and heir to Hafez, dies in a car accident.

06.2000 Bashar al-Assad becomes President after his father’s death (BBC News, 2017a).

4 ISIS is also known as the Islamic State of Iraq and the Levant, the Islamic State and Daesh.

09.2007 With Operation Orchard, Israel launches a cyberattack to disable the Syrian anti-aircraft system. This cyberattack enables the Israeli air force to conduct an airstrike on a nuclear facility in Deir el Zor in Northern Syria (Associated Press, 2011).

19.12.2010 An unemployed Tunisian sets himself on fire to protest against the Tunisian government. In conjunction with WikiLeaks revelations regarding the Tunisian authorities, his action causes protests by young Tunisians. This event is considered to be the starting point of the Arab Spring.

14.01.2011 The Tunisian President flees to Saudi Arabia.

17.01.2011 In Egypt, a man sets himself on fire to protest against economic conditions and to provoke similar protests as in Tunisia (Blight et al., 2012).

08.02.2011 After seeing the civil unrest in other Arab countries, al-Assad promises elections, greater press freedom and the end of the ban on Facebook and YouTube (Williams, 2011).

11.02.2011 Egyptian President Hosni Mubarak steps down and hands over power to the army.

16.02.2011 Protests against Gaddafi start in Libya.

18.03.2011 The United Nations (UN) Security Council agrees on a resolution authorizing intervention in Libya to protect civilians. The next day, the intervention by a coalition of 17 states starts in Libya.

19.03.2011 Protests for more political freedom and the end of the reign of the Ba’ath party erupt in Syria. The Syrian security forces open fire at protesters and kill four of them in the southern city of Daraa, causing the unrest to spread to other cities (Blight et al., 2012).

04.2011 The Syrian Electronic Army (SEA) is created (Fisher and Keller, 2011).

19.04.2011 To calm his population, President Assad agrees to lift a 48-year-old emergency law.

25.04.2011 The Syrian government deploys tanks in several cities to confront protesters.


7

05.2011 The SEA launches its first cyberattack with a DDoS attack on OrientTV5.

09.05.2011 The European Union (EU) issues an arms embargo against Syria.

19.05.2011 The EU and USA impose sanctions on Syria in response to President Assad’s violent repression of the protests.

23.05.2011 The EU imposes sanctions specifically targeting President Assad and other members of the Syrian government.

04.06.2011 Internet access is shut down by the Syrian government (Blight et al., 2012).

20.06.2011 Syrian President Assad refers to the SEA in an interview on Syrian television, but the hacker group immediately responds with a statement on its website that it is not connected to the Syrian government (Fisher and Keller, 2011).

07.2011 Deserters from the Syrian Armed Forces who took refuge in Turkey create the Free Syrian Army (FSA) (Al Jazeera, 2017).

08.08.2011 King Abdullah of Saudi Arabia recalls his ambassador from Syria and demands President Assad stop the bloodshed.

02.09.2011 The EU extends its sanctions against the Syrian government.

02.10.2011 Various opposition groups gather to form the Syrian National Council (SNC).

22.10.2011 Libyan President Gaddafi is killed (Blight et al., 2012).

12.11.2011 Syria is expelled from the Arab League because of its violent repression of the protests. The League also issues sanctions against Syria.

28.11.2011 A report to the UN Human Rights Council accuses the Syrian government of crimes against humanity.

02.2012 The UN proposes a draft peace plan with the support of China and Russia (BBC News, 2017a). The Anonymous hacker group declares war against the Syrian government and the SEA.

5 For a detailed table of the cyberattacks since the beginning of the Syrian civil war, see Annex 1 in Section 6. 6 The seizure of domain names by the Network Solutions LLC raises further questions with regard to international internet governance.

30.06.2012 The Geneva I conference on Syria takes place with representatives of the USA, China, Russia and the United Kingdom and the former UN General Secretary Kofi Annan. The conference ends with a proposal for a transitional government (BBC News, 2012).

08.2012 US President Obama warns that the use of chemical weapons would provoke a US intervention in Syria.

11.2012 The National Coalition for Syrian Revolutionary and Opposition Forces is created in Qatar but does not include the Islamist militias. The USA, France, the United Kingdom, Turkey and Gulf states recognize the coalition as the legitimate government of the Syrian population (BBC News, 2017a).

29.11.2012-01.12.2012

The Syrian government shuts down the Internet for three days (Chulov, 2012).

05.2013 Syria accuses Israel of conducting an airstrike near Damascus (Grohe, 2015). The US firm Network Solutions LLC seizes hundreds of Syrian websites’ domain names registered to Syrian organizations, including the SEA website. The seizure takes place in the context of the 2012 US trade sanctions against Syria6.

21.08.2013 Rockets filled with the nerve agent Sarin are used in various suburbs of Damascus and kill hundreds of civilians. The Syrian government accuses the opposition forces and vice versa (Bouckaert, 2013).

09.2013 UN inspectors conclude that chemical weapons were used in the attack of Ghouta. Under international pressure, President Assad agrees to dispose of his chemical weapons (BBC News, 2016).

10.2013 The Commander of the Iranian Cyber War Headquarters, the cyberunit of the Iranian Revolutionary Guard Corps (IRGC), who is suspected of assisting the SEA, is assassinated. The Israeli secret services, the Mossad, is accused by Iranian authorities (Grohe, 2015, p. 144).

These questions will not, however, be discussed in this document. Further information on this topic can be found on this website: https://krebsonsecurity.com/2013/05/trade-sanctions-cited-in-hundreds-of-syrian-domain-seizures/

https://krebsonsecurity.com/2013/05/trade-sanctions-cited-in-hundreds-of-syrian-domain-seizures/

https://krebsonsecurity.com/2013/05/trade-sanctions-cited-in-hundreds-of-syrian-domain-seizures/


8

12.2013 The USA and United Kingdom suspend their support for the FSA when it is reported that Islamist militias have raided FSA bases.

22-31.01.2014

The Geneva II Conference on Syria ends in failure when the Syrian government refuses to discuss the terms of a transitional government.

06.2014 ISIS declares the creation of a caliphate in the territory extending from the city of Aleppo to the eastern province of Diyala.

09.2014 The USA and five Arabic states launch airstrikes against ISIS in the region of Aleppo and Raqqa.

01.2015 The Turkish army pushes ISIS troops out of Kobane (BBC News, 2017a).

02.2015 The Anonymous collective declares war against ISIS (Ruhfus, 2015).

09.2015 France extends its airstrike on ISIS positions from Iraq to Syria (Shaheen et al., 2015).

30.09.2015 Russia starts to launch airstrikes against ISIS targets following an official request by the Syrian government (BBC News, 2017a).

10.2015 The USA stops its program to train Syrian anti-government groups (Al Jazeera, 2017).

13.11.2015 Terrorists with sworn allegiance to ISIS attack several locations in Paris (Shaheen et al., 2015).

24.11.2015 A Russian plane is shot down by the Turkish air force (BBC News, 2015). DDoS attacks targeting websites using the Turkish root Domain Name System (DNS) “.tr” are attributed to Russia in retaliation for the downing of the fighter jet (Murgia, 2015).

12.12.2015 The Syrian Armed Forces retake the city of Homs in Western Syria.

02.2016 The Geneva III peace talks on Syria start and are suspended three days later.

03.2016 The Syrian Armed Forces recapture the city of Palmyra in the center of Syria with the help of Russian aircraft (Wintour and Walker, 2016). An SEA member is arrested in Germany and extradited to the USA in May 2016 (Cimpanu, 2016).

04.03.2016 Russian President Putin orders the withdrawal of the bulk of the Russian forces in Syria because the mission is considered to have been largely accomplished overall (Wintour and Walker, 2016).

08.2016 The Turkish forces and FSA launch operation Euphrates Shield to push ISIS back from the Turkish border (BBC News, 2017b).

25.09.2016 The USA accuses Russia of war crimes in Syria.

03.10.2016 The USA suspends its participation in the Syrian ceasefire talks with Russia because of Russia’s role in helping Syrian government forces retake Aleppo. In return, Russia suspends its participation in a 2013 agreement on nuclear energy research and development and withdraws from a 2010 agreement on cooperation in the conversion of research reactors to low-enriched uranium fuel (Klion, 2016; World Nuclear News, 2016).

15.10.2016 Representatives of the USA, Russia, Saudi Arabia, Turkey and Qatar meet in Lausanne, Switzerland, for talks about peace plans in Syria (Wroughton and Winning, 2016).

16.11.2016 Russia withdraws from the International Criminal Court (Reuters, 2016).

12.2016 The Syrian Armed Forces retake the city of Aleppo in northern Syria with the help of Russian air power and Shia militias supported by Iran (BBC News, 2017a).

19.12.2016 The Russian ambassador to Turkey is assassinated by a police officer protesting against Russian involvement in the Syrian conflict (Walker et al., 2016).

01.2017 Iran and Turkey agree to implement a ceasefire between the opposition and the Syrian government at a conference in Kazakhstan (BBC News, 2017a).

23.02.2017 The Geneva IV Conference on Syria resumes discussions to find a solution for peace (BBC News, 2017c).

28.02.2017 China and Russia veto a UN Security Council resolution to sanction Syria for the alleged use of chemical weapons (Reuters, 2017).

30.03.2017 Turkish forces end operation Euphrates Shield in northern Syria (BBC News, 2017b).

05.04.2017 The Syrian government allegedly targets the town of Khan Sheikhoun north of Homs with nerve agent chemical weapons.


9

07.04.2017 The USA reacts to the use of chemical weapons by bombing a Syrian military base (Graham-Harrison, 2017).

7 Annex 2 at the end of the document summarizes the actors and their targets as well as the tools and techniques they use.

3 Description This section describes the different actors

participating in the Syrian conflict in cyberspace, their targets, and the tools and techniques they use. The aim is to better understand who is against whom in the highly complex context of the Syrian conflict. Another goal is to provide details of the tools and techniques that were used in cyberspace during the conflict, who used them and why7.

3.1 Attribution and actors During the six years of civil war in Syria, the actors

have evolved and changed in response to the events of the conflict. This adds to the already existing difficulty of attributing cyber activities. Attribution is normally based on the “cui bono” (to whose benefit) logic. This also implies that it is not possible to be 100% sure that an actor benefiting from a cyberattack is indeed its perpetrator. In addition, due to language limitations, this hotspot analysis relies mainly on Western media, cybersecurity reports and academic articles. These references have a specific point of view that others may not share. It is therefore important to bear in mind that there is always the possibility that evidence has been manipulated by one actor to deliberately implicate another.

The actors have been categorized into five groups: pro-government groups, anti-government groups, Islamist groups, state actors, and non-aligned groups.

Pro-government groups In the first category, there are various groups that

perpetrate cyber activities in support of the Syrian government. Five groups8 of pro-government actors have been identified to have been active in cyberspace throughout the conflict: the Syrian government itself, the SEA, the Syrian Malware Team (SMT), the Electronic National Defense Forces (ENDF), and groups acting from outside Syria, which regroup, one operating from Lebanon, and another identified as Group5 allegedly working from Iran.

The Syrian government

The Syrian government is composed of the Syrian

military intelligence in which Branch 225 is responsible for monitoring internal and external communications (Syrian Network for Human Rights, 2013). Syrian President Assad understood early in 2011 that protests in Egypt and Tunisia succeeded in overthrowing their

8 Other groups have also been observed during the conflict, but were not significant enough to be considered in this document.


10

leaders because the governments did not crush the demonstrations early enough. The Assad government was already known before the war for censoring internet content in the country. For example, YouTube and Facebook could not be accessed in Syria until February 2011 (Noman, 2011). Furthermore, in Syria, there are twelve internet providers that operate under the government-owned Syrian Telecommunications Establishment (STE). As soon as the protests started, Syrian President Assad chased foreign journalists out of the country to control the press coverage of events (Lee, 2016). These measures enabled the Syrian government to control internet access, implement censorship and perform cyberespionage. More than once, the Syrian government shut down internet or cell phone networks for several days in order to stop protesters posting videos, images or comments about events on social media. The Syrian government also used malware to spy on dissidents and built its own surveillance system in 2015 to control and monitor text messages, emails and internet use. The system is said to be able to block text messages or emails containing specific words (Zaluski, 2016). The Syrian Electronic Army

The SEA9 was created in May 2011 and was the

most visible cyberactor in the Syrian civil war. However, its relation to the Syrian government remains unclear. In June 2011, President Assad thanked the SEA for its actions in a speech on Syrian television, but the group later clarified on its website that it had no ties with the Syrian government. However, it operates from Syria, which suggests that, even if it is not part of the Syrian military, it at least enjoys tacit support from the Syrian government (OpenNet Initiative and InfoWar Monitor, 2011). Warren and Leitch (2016) argue that the SEA acts as a proxy group for the Syrian government and is under the authority of the Syrian government. Grohe (2015) adds that it became Syria’s de facto cyber force because of all the attention it attracted through its operations, as it always advertises and claims responsibility for its attacks. Al-Rawi (2014) continues that the SEA also attracts patriotic hackers and/or script kiddies who want to take part in the conflict, but do not want to be associated with the Syrian government. It is therefore unclear whether the SEA is a loose association of patriotic hackers or operates under a more centralized and organized structure. In an operation against the Syrian government, the hacktivist group Anonymous exposed five alleged SEA members, revealing that one of them was operating from Romania and another from

9 The SEA also uses the names: ArabAttack, Shadow, The Pr0, Saqer Syria, Sy Team and al3rab (OpenNet Initiative and InfoWar Monitor, 2011).

Russia, suggesting that the groups is a loose association rather than a fixed organization (Al-Rawi, 2014).

The SEA is active on the main social media platforms to promote its actions and support the Syrian government (Warren and Leitch, 2016). Grohe (2015) argues that the Syrian government uses the SEA as a counter-narrative to social media publications posted by anti-government actors. The official SEA website was created and first registered with the Syrian Computer Society (SCS), i.e. the Syrian authority registering internet domain names, in May 2011. During the first year of the conflict, the SEA created a Syrian Hackers School Facebook page, from which people were able to download and learn how to use a tool for launching DDoS attacks against BBC News, Al Jazeera, OrientTV and Al-Arabyia TV. At the beginning of the war, the group’s actions consisted mostly of the use of website vulnerabilities for defacement with pro-government messages and images. Between 2011 and 2015, it defaced hundreds of websites.

As the war moved on, the SEA’s technique improved, which suggests that it received help from the Syrian government, from Iran or Russia, both of which support the Syrian government. Reporters Without Border argues that the SEA is used as a cyberintelligence tool by the Syrian government (Al-Rawi, 2014). In 2013, after the US-based internet domain name registrar Network Solutions LLC seized hundreds of Syrian domain names from the SCS, the SEA registered its website in Russia in order to keep it active. Internet domain names were part of the banned services included in the US trade sanctions against Syria (Al-Rawi, 2014; Gallagher, 2013). After 2013, the number of cyberattacks perpetrated by the SEA decreased and stopped altogether in June 2015. In fact, the group shifted its focus from hacktivism to cybercrime. In 2016, the US Federal Bureau of Investigation (FBI) added two SEA members to its list of wanted cybercriminals. A member of the group, Peter Romar, was arrested in Germany in March 2016 and was extradited to the USA, where he will be tried (Kobrak, 2017).

The Syrian Malware Team

The Syrian Malware Team (SMT) is a pro-

government group of hackers using RAT. It might be an SEA branch, or at least some of its members have ties to the SEA. According to the cybersecurity firm FireEye, the group was first observed in January 2011 and was still active in July 2014 (Wilhoit and Haq, 2014).


11

The Electronic National Defense Forces The Electronic National Defense Forces (EDNF) is

a group said to be the technical wing of the Syrian National Defense Forces, a pro-government militia operating throughout Syrian territory (Lund, 2015). The militia was created by the merger of several smaller groups in 2012, but its electronic unit was probably created at the same time as its Facebook page in August 2013. The group is active on Facebook to lure opposition members into providing their social media login credentials. They then use this data to access accounts and post pro-government messages in the victims’ names (SecDev Foundation, 2013a).

Groups operating from outside Syria

Two pro-government groups have been

identified to be operating from outside Syria. The first group, which allegedly originates from Lebanon, carried out hacking operations between November 2013 and January 2014. Its technique was to lure opposition members on Skype with a female avatar. They would ask victims to download a photo infected with a RAT. They also used fake social media pages with download links to infected software or images. The Command and Control (C&C) servers used for these activities were located outside Syria, and the perpetrators made several references to Lebanon both in their conversations with victims and in the malware script. These elements led FireEye experts to believe that this is a group from Lebanon. If this is indeed the case, the group may be tied to Hezbollah, whose members are said to have attended internet and social media training courses in Syria (Regalado et al., 2015).

The second group allegedly comes from Iran and has been named Group5 by researchers at Citizen Lab in Toronto. Group5 has been observed since October 2015 and targets members of anti-government groups. The group sent emails which seemed to come from legitimate non-governmental organizations (NGOs), but contained a Microsoft Office PowerPoint presentation infected with a RAT. It also runs a website that emulates the design of other opposition websites and contains links to infected documents. Both the website and the C&C servers are hosted outside Syria. An obfuscation tool known to be used by Iranians was used together with the RATs, as was a Persian-language tool. These elements led the Citizen Lab experts to assume that Group5 was an Iranian actor (Scott-Railton et al., 2016).

Anti-government groups It is believed that there are more than 1,000 anti-

government groups in Syria, but only three have been

10 The FSA is also known as the Supreme Military Council of the Free Syrian Army.

identified to be active in cyberspace: The Supreme Council of the Revolution (SCR), FSA10, and the Hackers of the Syrian Revolution (HSR). These groups have been less visible in cyberspace probably due to both a lack of resources and coordination among themselves.

The Supreme Council of the Revolution

The SCR can be linked to the Supreme Council of

the Syrian Revolution (SCSR), which is an opposition group sitting on the Syrian National Council (SNC)11. However, it is unclear if the SCR is in reality the SCSR, if it has ties to the SNC or not. The group allegedly hacked into Syrian President Assad’s email accounts and his wife’s (Booth et al., 2012). The hacker of the email accounts is alleged to be Abdullah Hachim Shammani, who operates an information network in Arabic (Ahmad, 2012).

The Free Syrian Army

The FSA was created in July 2011 by Syrian Armed

Forces deserters who fled to Turkey. It is a decentralized organization that brings together several opposition groups but does not include Islamist groups. The FSA receives support from Western and Gulf states (BBC News, 2013; Lee, 2016). Its use of cyberspace is mostly aimed at promoting the group’s cause and reporting the Syrian government’s atrocities on social media. The FSA was also involved in DDoS attacks against Syrian government websites and Syrian state-owned media websites (Lee, 2016).

The Hackers of the Syrian Revolution

The HSR group appears to be composed of four

hackers; it targets mainly computer infrastructures of the Syrian government. It is believed to have attacked the Syrian Ministry of Oil and Mineral Resources and the Syrian Virtual University, although the nature of the attack is unknown. The HSR accessed and released a list of people investigated by the Syrian General Security Department in relation to opposition activities (SecDev Foundation, 2013b).

Islamist groups Islamist groups opposing the Syrian government

are considered to be separate from the opposition because they are not included in the SNC and also target anti-government groups. There are just as many Islamist groups as opposition groups, but three can be distinguished by their activities in cyberspace: the cyberwing of ISIS, called the Cyber Caliphate; the

11 The SNC is also known as the Syrian National Transitional Council or the National Council of Syria.


12

cyberbranch of Jabhat al-Nusra12; and the cyberunit of the militia Ahrar al-Sham. These groups are not coordinated and do not fight the same enemy; they even fight against each other in the physical and cyber realms.

The Cyber Caliphate

The Cyber Caliphate was created in 2014. It

appears to be the cyberunit of ISIS, but its affiliation to that Islamist group remains unclear. This ambiguity is based on the possibility that the group may be only an ad-hoc organization rather than an effective branch of ISIS. ISIS is a Sunni fundamentalist group that established a proto-state on territory in Syria and Iraq. It was observed that the Cyber Caliphate was mainly active between 2014 and 2015, when ISIS was in full control of its territory (Graham-Harrison, 2015). Later, its activity in cyberspace decreased, probably due to the group’s stronger focus on military ground operations rather than on cyber activities.

Hackers of the Cyber Caliphate operate from both abroad and from ISIS territory. Their most famous individual is a British hacker, Junaid Hussain, who was convicted for accessing Tony Blair’s personal address book in 2012.

As an alleged cyberwing of ISIS, the group is responsible for social media propaganda used for recruitment and fundraising, maintaining the internet in ISIS-controlled territories and educating ISIS members on cybersecurity (ZeroFOX Team, 2015).

The cyberbranch of Jabhat al-Nusra

Jabhat al-Nusra is a fundamentalist Sunni group

that was created in the context of the anti-government protests in 2011. The group was associated with al-Qaeda in Iraq from 2012, but publicly separated itself in July 2016. They have also been seen as rivals of ISIS since their separation in 2013 (Clarke, 2016; Haid, 2016). This Islamist group appears to have a cyberunit called the Jabhat al-Nusra Electronic Army, which has run its own Facebook page since 2013. However, the affiliation between the Islamist group and the hacker group has not been confirmed. The hacker group targets mainly government forces (SecDev Foundation, 2013b).

The cyberunit of Ahrar al-Sham

Ahrar al-Sham was founded in December 2011.

This Sunni fundamentalist group intends to overthrow Assad’s Syrian government and replace it by an Islamic government. On the ground, they cooperate with al-Nusra and Turkey against ISIS. They receive financial support from Turkey and Saudi Arabia. The group has a

12 Jabhat al-Nusra is also known as Al-Nusra Front or Jabhat Fateh al Sham.

technical division responsible for cyberattacks (Stanford University, 2017), but there is very little information on it. It is said to be behind cyberattacks on the SEA and Syrian media (Zelin and Lister, 2013).

State actors State actors consist of states involved in the

Syrian conflict in cyberspace. Iran, Turkey and Israel are neighboring countries affected by the Syrian conflict. Russia intervenes in support of the Syrian government, and the USA is part of a larger operation against ISIS that is conducted in Iraq and Syria. Both Russia and the USA are part of the international coalition against ISIS.

Iran

As a Shia religious state, Iran supports Assad, who

belongs to the Alawite minority in Syria, a Shia branch of Islam. The conflict in Syria can be described as a proxy war between Shias (Iran) and Sunnis (Saudi Arabia). Iran fears that if the Syrian government falls, a revolution in Iran may follow. Iran supports Assad’s government and pro-Assad militias with military training and equipment, advisors and financial resources (Lee, 2016; Lund, 2015).

The leak of Assad’s emails in 2012 revealed that the Syrian President received advice from Iran on how to handle demonstrations (Booth et al., 2012). Iran is known to have a large cyberbranch in the IRGC that may have trained Syrian forces and Hezbollah in Lebanon. It was reported that some members of the IRGC were also integrated in Syrian forces. In October 2013, the commander of the Iranian Cyber War Headquarters was assassinated for allegedly providing support to the SEA (Grohe, 2015). However, misinformation was circulated online about the cooperation between Iran and Syria (Duggan, 2015).

Turkey

Turkey’s involvement in the Syrian conflict stems

from its geographical position as a neighbor, from the influx of Syrian refugees across the border and from the perceived risk emanating from the Kurdish population living near the border. Turkey’s role in cyberspace in the context of the conflict remains unclear. Nevertheless, Turkish citizens were targeted by ISIS propaganda and recruitment campaigns (Gurcan, 2016). Turkish websites were also victims of DDoS attacks allegedly conducted by Russia in retaliation for the downing of a Russian fighter jet in November 2015 (Murgia, 2015).


13

Israel Israel’s role in the conflict is based on its

neighboring location and rivalry with Syria as a local power. Israel is known to have significant cyber capabilities, but none have so far been disclosed during the Syrian conflict. Israeli intelligence services were accused of allegedly assassinating the commander of the Iranian Cyber War Headquarters in 2013 (McElroy and Vahdat, 2013).

Russia

Russia is allied to the Assad government and

physically intervened in Syria against ISIS in September 2015. Russian support mainly takes the form of equipment and air support, and Russian action in cyberspace consists of propaganda and espionage campaigns focused on gathering information on anti-government groups and NGOs, with spying malware being delivered by spear phishing emails and fake websites with malicious links (Jones, 2016). It is alleged that Russia intervened in cyberspace by launching DDoS attacks against Turkish websites to retaliate against the shooting down of a Russian plane by the Turkish air force (Murgia, 2015). The group APT28, which is said to have ties to the Russian government, defaced the French television channel TV5 Monde with pro-ISIS messages (Ruhfus, 2015).

The United States of America

The USA leads the international coalition against

ISIS in Syria and in Iraq. It provides training, equipment and air support to anti-government forces. The USA considered using cybertools against infrastructures in Syria, but the idea was abandoned because of fears of retaliation against the USA or its allies by Syria, Iran or Russia (Sanger, 2014).

Non-aligned groups This category consists of third-party non-state

actors who became involved in the Syrian conflict through cyberspace. It includes the hacktivist group Anonymous and a US national named Oliver Tucket. There have also been other hacktivist groups involved in the conflict at various times, but only Anonymous had significant impact. For instance, the hacktivist group Telecomix sent emails to members of the Syrian opposition containing advice on how to bypass internet shut-downs and links to online security tools, but the group apparently did not get involved in any other proactive online activities (Weiss, 2012).

Anonymous Anonymous is a decentralized hacktivist

association that supports internet freedom. In November 2012, Anonymous declared war on the Syrian government after it shut down internet and mobile phone services to prevent the opposition from communicating (Bennett-Smith, 2012). In other campaigns, they also targeted ISIS and states financing ISIS (Calpito, 2015; Hamill, 2014).

Oliver Tucket

Oliver Tucket is the pseudonym of a US hacker

who has targeted the Syrian government’s servers and leaked government documents and communications. He accessed Syrian government website servers and redirected users to other pages. He was annoyed by the amount of publicity that the SEA received in comparison to its limited technical skills. He is also said to have been motivated to act against the Syrian government for moral reasons. He does not claim any association with Anonymous and has stated that he wanted to show that anybody with an internet connection could take part in the conflict (Grohe, 2015; Peterson, 2013).

3.2 Targets Cyberattacks carried out in the context of the

Syrian civil war have been aimed at a diverse range of targets located both inside and outside Syrian territory. They can be grouped into six categories according to their association with the various actors in the conflict and their geographical locations: government institutions and pro-government groups; anti-government forces excluding Islamist groups; Islamist groups; third-party states; third-party organizations; and media outlets. These groups may have been targeted by more than one perpetrator.

Government institutions consist of Syrian governmental institutions, networks and websites. They experienced mostly DDoS, defacement and data breaches. They were targeted by anti-government forces and Islamist groups as part of the war effort to collect information on government forces or simply to discredit the government through propaganda campaigns (Grohe, 2015; OpenNet Initiative and InfoWar Monitor, 2011). Other groups such as Anonymous and the hacktivist named Oliver Tucket attacked the Syrian government to disclose information about the war to the public, but also to disrupt access to government networks and websites (Lee, 2016). Pro-government groups’ social media accounts were also targeted and defaced by anti-government and other groups (Grohe, 2015).

Anti-government groups suffered cyberattacks from government forces and pro-government groups in


14

the form of propaganda, misinformation and website defacement in order to discredit the anti-government cause. They were also targeted in DDoS attacks aimed at hampering access to webpages and impairing groups’ ability to communicate or share up-to-date news about government force positions. Anti-government groups were additionally infected by RAT malware delivered via phishing campaigns originating from government forces and pro-government groups. This was to collect intelligence on the members, structures and locations of anti-government groups (Deegan et al., 2017).

Islamist groups were mostly targeted by the hacktivist group Anonymous. They sustained website defacement and DDoS attacks. The goal was to hamper Islamist groups’ access to certain websites to prevent them from conducting recruitment and propaganda campaigns. These groups were also confronted with social media websites closing their accounts.

Third-party states are also targeted by cyberattacks originating from the Syrian conflict. This category includes states that are both directly involved (e.g. by taking part in the international coalition’s anti-ISIS operations in Syria) and indirectly involved (e.g. by financing groups). Websites and social media accounts of US institutions have been repeatedly defaced by the SEA and the Cyber Caliphate since 2011. Anonymous also targeted websites of states suspected of funding ISIS, namely Turkey, Qatar and Saudi Arabia (Hamill, 2014).

Third-party organizations are private firms, international organizations and non-government organizations. Some are directly involved in the conflict, while others are not, but are targeted because their website or network security is low, making them easy targets for opportunistic cyberattacks. This type of organizations was mainly targeted by the SEA and sustained primarily defacement of their websites or social media accounts (Al-Rawi, 2014).

Media outlets are defined as a special category here because they were principally targeted by the SEA and anti-government groups. These groups attacked media outlets to protest about their reporting on the Syrian civil war, which they judged to be untruthful. Media outlets were affected by defacement of their websites and/or social media accounts (Lee, 2016).

3.3 Tools and techniques Since the beginning of the Syrian civil war, all of

the actors have used social media and online platforms to promote their causes with the aim to gain local and international support for recruitment or funding. This technique does not require specific technological skills and is more focused on publicity than causing damage and is therefore not considered as a tool or technique in this report.

Other types of unfriendly cyber activities have been observed and grouped into four categories: data breaches with disclosure of stolen documents; website defacement; DDoS; and espionage malware. The first type of activity consists of collecting information through cybermeans and releasing it to the public with the aim of influencing public opinion. The next two categories focus on disrupting the use of websites. However, defacement is also oriented towards gaining publicity for a cause and is used as a propaganda tool. The fourth type of activity focuses on collecting intelligence on an enemy’s hierarchy or location in order to prepare for future kinetic attacks.

Data breaches Data breaches and the disclosure of stolen

information occurred repeatedly throughout the Syrian civil war. This type of activity entails entering a network without the user’s consent and/or knowledge through the use of malware, theft of login credentials or weak passwords. Data breaches can also aim at disclosing stolen information in order to influence public opinion. Theft of information happened about fifteen times during the Syrian war, with ten incidents perpetrated by the SEA, one by an anti-government group, two by Islamist groups and two by Anonymous.

Website defacement Website defacement, which has been the most

frequently occurring cyberattack during the conflict, is regarded as cyberspace vandalism, as it involves changing the appearance of a website or redirecting users to another webpage. Perpetrators exploit vulnerabilities in website structure by employing SQL injection to access the site server and obtain administrative rights to make changes. During the Syrian civil war, many social media pages were defaced to display propaganda messages. The techniques used by pro-government groups in the Syrian context consisted of luring victims into relinquishing social media login credentials with phishing emails, fake login pages, and sometimes with the use of torture (Ruhfus, 2015). Another technique used for defacing websites was DNS hijacking, which consists of substituting a website’s DNS server by another. Approximately 200 websites have been defaced since the beginning of the Syrian civil war. The majority was defaced by the SEA, but other, smaller actors have also used defacement. The goal of these attacks was not to steal information, but to disrupt and harass the enemy, while spreading propaganda and misinformation. The targeted webpages were mostly media outlets and other organizations such as NGOs or commercial companies. Some targeted webpages belonged to companies without any affiliation to the conflict; these were simply chosen because of


15

vulnerabilities in their webpages (OpenNet Initiative and InfoWar Monitor, 2011).

DDoS DDoS attacks were used relatively infrequently

during the Syrian conflict, compared to website defacement. In a DDoS scenario, attackers overload a website with requests causing a denial of access for legitimate users. This technique has been mostly employed by the SEA, which developed a tool named Bunder Fucker 1.0 at the beginning of the conflict in order to target the websites of four media outlets: Al-Jazeera, BBC News, Orient TV and Al-Arabyia TV. This tool was advertised for download on the SEA Facebook page. The SEA also informed its followers on how and when to use the tool to launch attacks. An anti-government group in turn transformed the tool to target pro-government media websites: Syrian General, the Syrian organization for radio and TV, Addounia TV and Syriarose (OpenNet Initiative and InfoWar Monitor, 2011). Attacks of this nature are mainly intended to disrupt and harass the enemy. Later in the conflict, the emphasis was more on website defacement rather than DDoS, but the latter still occurred a number of times between 2013 and 2015.

Malware The use of dozens of different types of malware

has been reported throughout the Syrian civil war. The cybersecurity firm FireEye reported that malware used in the context of the Syrian conflict mostly targeted anti-government groups, media activists and humanitarian actors working in Syria and in neighboring states (Regalado et al., 2015). Malware was mainly deployed to collect information about victims of such attacks in order to identify members of targeted groups, their movements and communications for battlefield advantage or for repression. The majority of malicious applications was available on hacker forums either free of charge or for sale. Eight of these malware products targeted computers:

DarkComet RAT

DarkComet RAT13 was the most commonly found

RAT linked to the Syrian conflict (Kaspersky Lab, 2014). It was developed by a French hacker in 2011 and was freely available on surveillance forums. It was retrieved by pro-government groups and used against anti-government groups (Ruhfus, 2015). The malware was often hidden in a document sent to victims in spear phishing emails. When victims opened the document, it would download the malware into their computers.

13 The malware DarkComet RAT is also known as Finloski.

DarkComet RAT is able to activate webcams, disable the detection notification of antiviruses, record keystrokes, steal login credentials, delete and control files. It also has a DDoS capability (New Jersey Cybersecurity & Communications Integration Cell, 2016). The DarkComet RAT samples found in the context of the Syrian conflict were communicating with a C&C server located in Syria that belonged to the STE.

DarkComet RAT was also delivered through other means. The perpetrator, a pro-government group, would pose as a female anti-government activist and contact victims via Skype or Facebook messages. The attacker would then send a picture of the female avatar containing the malware. When the picture was opened, it installed DarkComet RAT on the computer. This version of the malware, which communicated with a C&C server outside Syria, is believed to have originated in Lebanon (Regalado et al., 2015). When the developer of the malware learned that pro-government groups used his tool, he stopped updating it and instead developed a removal tool that he published for free (Geers and Alqartah, 2013).

njRAT

njRAT14 was the second most commonly found

RAT in the context of the Syrian conflict. It was first seen in June 2013 and was mainly used by cybercriminals in the Middle East. 80% of the C&C servers for njRAT are located in the Middle East and North Africa (New Jersey Cybersecurity & Communications Integration Cell, 2017). The malware’s features consist of collecting documents, making screenshots, gathering login credentials, recording keystrokes, deleting files and activating the webcam and microphone. This RAT is also capable of avoiding antivirus detection because of its encrypted architecture. The malware was used by the Iranian group Group5 but also by other pro-government groups. They infected their victims via the use of spear phishing emails or fake anti-government websites with malicious links that would download the malware onto users’ computers without their knowledge (Scott-Railton et al., 2016).

In September 2013, a sample of the malware was found in a link on a Facebook page containing information on the death of a FSA cleric killed by ISIS in July 2013. This sample communicated with a C&C server located in Syria (Galperin et al., 2013).

In March 2014, a sample of njRAT was found in a modified version of the censorship circumvention software, Psiphon. The malicious version of Psiphon looked exactly like the legitimate version but ran njRAT in the background, which communicated with a C&C server located in Syria. It is believed that it targeted Syrian anti-government groups, which often used

14 The malware njRAT is also known as Bladabindi or Zapchast.


16

censorship circumvention tools such as Psiphon (Scott-Railton, 2014).

Xtreme RAT

Xtreme RAT has been available online for free

since 2010. It is capable of collecting and uploading files, making screenshots and activating microphones and webcams and was used mainly by cybercriminals against financial institutions (Villeneuve and Bennett, 2014). It was believed to have been used by the SEA against anti-government groups, and by Jabhat al-Nusra against NGOs and FSA members. Samples of the malware were found in emails sent to an NGO administrator and members of the FSA in October 2013 (Galperin et al., 2013; Geers and Alqartah, 2013).

Nanocore

NanoCore15 is a malware freely available online

since December 2013. It is mostly used by cybercriminals and affected mostly US victims (Payet, 2014). In Syria, it was mainly used by Group5, which used spear phishing emails and fake anti-government websites to infect their victims. The malware has the same cyberespionage functionalities as njRAT (Scott-Railton et al., 2016).

Backdoor.breut

Backdoor.breut is a Trojan horse opening a

backdoor in victims’ computers. It is available online and allows perpetrators to record keystrokes, steal login credentials, activate webcams and microphones, and download and upload files in the compromised computer (Liu, 2017). It is believed to be used by the Syrian government to steal the login credentials of members of anti-government groups. Users would then impersonate their victims on social media pages and send the malware to their victims’ contacts (Zaluski, 2016). The “beacon malware”

A “beacon malware” was discovered in an email

sent to the activist journalist group named Raqqah Is Being Slaughtered Silently in November 2014. The email contained a slideshow, which would download the malware when opened. The malware looks for details of the operating system of the victim’s computer and emails its Internet Protocol (IP) address to the perpetrator. Experts from the Citizen Lab assume that the choice to send information via email rather than to a C&C server is due to the lack of internet connectivity in Syria. The malware deletes itself from the computer when the slideshow is closed. It possibly resends the

15 The malware NanoCore is also known as Trojan.Nancrat.

information each time the computer is restarted, confirming the idea that the malware acts as a beacon. The level of sophistication is rather low, as it does not encrypt the emails it sends and does not try to conceal its activities. Experts from Citizen Lab assume that the developer and user of the malware is ISIS (Scott-Railton and Hardy, 2014).

BlackWorm

BlackWorm is a malware developed by Naser al

Mutairi from Kuwait, who also developed the aforementioned njRAT malware, and a developer dubbed Black Mafia. There were two versions of the malware used in Syria by SMT. Both were able to communicate with C&C servers and download files from them as well as remotely restart computers, copy themselves onto USB drives and steal login credentials. This malware is easily available via specialized forums (Wilhoit and Haq, 2014).

ShadowTech RAT

ShadowTech RAT is a widely available malware

used mainly by cybercriminals. In June 2013, it was found in a fake version of a Virtual Private Network (VPN) software named Freegate. Victims were encouraged to download the software on anti-government forums and social media pages. Once downloaded, it would ask users to disable their firewall to update the fake software and let ShadowTech RAT run freely in the background.

The malware used in the context of the Syrian civil war also targeted smartphones using the Android operating system:

DroidJack

DroidJack was developed from another Android

RAT named SandroRAT, which was released on hacker forums in 2013. This malware is designed to intercept and steal messages, contacts and photos and activate cameras and microphones remotely. It was used in Syria by Group5 and delivered through a fake update for Adobe Flash Player (Scott-Railton et al., 2016). The Dawn of Glad Tidings

The Dawn of Glad Tidings16 is an Android

application developed by ISIS in April 2014. It is an official app from ISIS that informed users about news related to ISIS via Twitter messages. The application accesses the user’s Twitter account and posts messages on their account. It enabled ISIS to gain attention on

16 The Android application was also known as Dawn.


17

Twitter and to build a network of botnets. The application was able to upload up to 40,000 messages a day. The purpose of this application was to spread propaganda and gain attention on social media platforms (Berger, 2014; ZeroFOX Team, 2015).

4 Effects This section details the effects of cyber activities

carried out in the context of the Syrian civil war at the domestic and international levels. It analyzes how Syrian society was impacted by cyberattacks, what economic costs victims incurred due to these attacks, what technological damage was caused by the cyberattacks and what technological innovations have emerged from the conflict.

At the international level, this section aims to explain the effects of the cyberattacks on international relations and international involvement in the Syrian conflict.

4.1 Social effects At the social level, the information context in

Syria is complicated. At the beginning of the protests against the Syrian government in 2011, Assad expelled all foreign journalists from Syria to prevent them from reporting on the demonstrations. The media in Syria and the information they reported were subsequently fully controlled by the government. President Assad’s aim was to isolate Syrians from outside information while shaping public opinion in his favor. At the same time, dissidents were using the internet and social media to report their side of events.

Cyberspace became a place where the government as well as anti-government and Islamist groups were able to share their narratives of the war and spread their propaganda to gain domestic and international support. Each group tried to discredit the other groups through messages, pictures and videos posted on social media. They all attempted to gain publicity to rally the population and the international community to their cause, to recruit members or to raise funds (Lee, 2016). However, it remains difficult to verify the veracity of the posted allegations, pictures and videos. The SEA was particularly aggressive in this domain and has frequently defaced, spammed or attacked with DDoS the websites of media outlets that report negatively on the Syrian government (Fisher and Keller, 2011). Al-Rawi (2014) argues that the Syrian government used the SEA as a de facto public relations tool. The significant amount of disruptive attacks launched by the SEA also enabled it to gain visibility, to rally more moderate actors to its cause and to appear as a major actor. However, its unconfirmed relationship with the Syrian government allowed the Syrian government to deny any involvement in these activities. ISIS also used media and social media in Arabic and in other languages to gain visibility and access a wider audience. Its goal was also psychological warfare by instilling fear in its enemies by showing highly violent propaganda photos and videos (Siboni et al., 2015).


18

The internet and social media have made it easier to organize protests and communicate them to a wider audience than before. In the case of the Syrian civil war, patriotic hackers, or any sympathizers of any other groups, are able to take part in the conflict in the cyber realm, provided they have the requisite technical knowledge. However, these civilians would then be considered as participants in the conflict and lose their status as non-combatants. This adds a new dimension to the conflict, as combatants are not permitted to target civilians under international law.

Hackers located in Syria are able to target websites or networks abroad, which adds another international dimension to the conflict and carries the risk that the civil war may escalate into an international conflict. However, such actions by individuals or groups also benefit the Syrian government and non-state actors by promoting the various groups’ agendas. At the same time, hackers’ actions have few political or legal consequences. Both state and non-state actors are able to deny any association with perpetrators, arguing that these are individuals acting on their own initiative. Moreover, if there is retaliation against individual(s), this does not affect the Syrian government or other non-state actors (Al-Rawi, 2014).

Society is also affected by the hijacking of social media accounts. Many social media accounts of members in anti-government groups were hijacked by the Syrian government or Islamist groups. The perpetrators would steal their victims’ login credentials using various techniques such as fake login page links sent via email, or even through the use of torture. Perpetrators would then log into their victims’ accounts and post pro-government materials and/or try to collect information on other anti-government members and their locations (Gady, 2013a). This impersonation of members of enemy groups on social media not only erodes trust among members, but also increases mistrust among the anti-government groups’ members and Syrian society as a whole. People no longer know whom to trust online and fear that they may be reported to the authorities. Social media hijacking also detracts from the legitimacy and credibility of anti-government groups in relation to their partners and the Syrian population.

4.2 Economic effects The most obvious economic effects from

cyberattacks in the context of the Syrian civil war are the costs caused by the DDoS and defacement attacks. For businesses, these attacks generate costs estimated to be US$22,000 per minute of website unavailability. The average duration of a DDoS attack is estimated to be 54 minutes. These are only the direct costs, but such attacks also damage the reputation of the website and its owner(s) (Kenig, 2013; NSFocus Inc., 2016). The bulk

of cyberattacks in the context of the Syrian civil war were defacements of Twitter accounts and media outlet websites, which mostly impacted their reputation.

The defacement that had the most impact was perpetrated by the SEA on the Associated Press Twitter account in April 2013. The hacker group posted false news about an explosion in the US White House and US President Obama being injured on the Twitter feed. Within seconds from the message having been published, the stock market dropped by US$130 billion, but recovered shortly after the news was refuted (Grohe, 2015). The attack was not technically sophisticated, as the SEA obtained login credentials through spear phishing emails, but its economic consequences could have been disastrous. In this example, the cyberattack affected mostly citizens’ financial situation rather than government itself (Deegan et al., 2017).

4.3 Technological effects During the protests and the conflict, the internet

was shut down several times by the Syrian government. The internet infrastructure in Syria is highly centralized with three submarine cables emerging in Tartous and one land cable between Turkey and Aleppo. These digital gateways are controlled by STE, which enables the Syrian government to easily shut down the country’s entire internet (Gady, 2013b). The goal of these shutdowns was to prevent protesters from communicating among themselves and with the outside world. This forced the anti-government and Islamist groups to be creative and find other ways to communicate. They connected to the internet through satellite communications systems, but also relied on VPN or other censorship circumvention software (Scott-Railton et al., 2016). However, these practices also put these groups at risk of being deceived with maliciously repackaged programs, as was the case with Psiphon (Scott-Railton, 2014) and Freegate (Scott-Railton and Marquis-Boire, 2013). These cases caused opposition groups to lose confidence in such technologies and required them to be more cautious and creative when downloading tools of this kind.

The technology used in the various cyberattacks in the context of the Syrian civil war was not sophisticated. There were no discoveries of new malware families, apart from the beacon malware. The defacement attacks were also of rather low sophistication and relied mostly on known website vulnerabilities and spear phishing emails. These attacks show that actors can cause significant international disruption even with low technological sophistication.


19

4.4 International effects The Syrian civil war started with protests in

several cities, which were soon followed by DDoS and defacement attacks on media outlets and other websites. The conflict in cyberspace also quickly affected non-Syrian websites, spreading the cyberconflict internationally. Throughout the six years of the war, various non-Syrian websites fell victims to defacement or data breach attacks by Syrian perpetrators. The targeted websites were often media outlets reporting on the Syrian conflict or companies somehow involved in the conflict (e.g. Viber, Truecaller or Tango), or targets chosen randomly because of vulnerabilities on their websites. These attacks aimed to gain publicity but were not disruptive or damaging enough to drag foreign state actors into the war.

However, the war has an international dimension at both the physical and the cyber levels. There is a Shia front composed of Lebanon, the Syrian government and Iran. Actors from Lebanon and Iran have been observed to support the Syrian government on the ground, but also in cyberspace with training and campaigns targeting anti-government groups (Grohe, 2015). On the opposite side, there is a Sunni front composed of Turkey, Qatar and Saudi Arabia, which support anti-government and sometimes Islamist groups. Unlike the Shia support, assistance provided by Sunni states seems to be limited to the physical realm and has not been transposed to cyberspace. Also, other major powers such as Russia and the USA seem to limit their support to physical operations. The USA considered launching a cyberattack on Syrian government infrastructures, but did not do so due to concerns about possible retaliation by Iran or Russia (Sanger, 2014), although the reason may also have been to avoid disclosing US cyber capabilities in relation to a target of low importance such as the Syrian government. Russia used propaganda campaigns to justify bombings and discredit the Western intervention against ISIS (Luhn, 2016). It has also used spying malware to gather information on anti-government groups and NGOs (Jones, 2016).

A significant aspect of cyber activities in the context of the Syrian civil war is that any individual is able to take part in these attacks, as was clearly demonstrated by the case of Oliver Tucket, a US citizen who decided to hack into Syrian government networks (Grohe, 2015). This shows that it is easier for third-party actors to participate in a conflict through cyberspace than in the physical realm because of the anonymity provided by the attribution problem. Anybody with an internet connection can participate in a conflict with little risk of retaliation, whereas physically going to Syria to support either group is harder and costlier. This particularity increases confusion regarding the identity of cyberspace actors and the groups they support, as

anybody can claim to be part of any group, even if they are in fact thousands of kilometers away from Syria.

The conflict in cyberspace remained circumscribed and limited to support for operations on the ground. Cyberattacks remained at a low intensity, as they merely caused disruption rather than any physical damage. The DDoS and defacements were aimed at harassing the enemy and disrupting media coverage of the conflict. Malware was only used to gather information on the enemy for battlefield preparation. The lack of high-intensity attacks may have been due to a lack of cyber capabilities as well as a lack of time for preparing and developing such attacks (Gady, 2013a).

The EU, the USA and the Arab League reacted to the Syrian government’s repression of protests by imposing economic sanctions and embargoes. Syria was already subject to economic sanctions, but the brutal repression of the demonstrations in 2011 pushed states to act and tighten sanctions. They agreed to impose travel bans, freeze financial assets and issue embargoes on certain goods and weapons. The sanctions damaged the Syrian economy, increased the number of Syrians living in poverty and hampered humanitarian aid (Khalek, 2016). The sanctions have little to do with cyberattacks, except for the seizure of approximately 700 Syrian domain names by the US firm Network Solutions LLC in 2013, which forced the SEA to host its website in Russia (Grohe, 2015).


20

5 Policy Consequences This section proposes several measures that

states may wish to implement to reduce the risks of malicious cyber activities from the Syrian civil war.

5.1 Raising awareness of propaganda and radicalization online Ever since the start of the protests and the

conflict in Syria, all actors have tried to gain domestic and international support by posting messages, pictures and videos online. However, it is difficult, if not impossible, to verify the veracity of posted material. The media, governments and society as a whole therefore need to raise awareness that posted documents can serve propaganda purposes and should be approached critically. Propaganda and misinformation mainly seek to rally public opinion for the groups’ respective causes, to recruit members and to raise funds. It is important for society to understand this issue and that it is difficult for democracies to counter propaganda or control what the media publish.

In addition to the general propaganda tied to the actors in the conflict themselves, there is also the fact that ISIS stands out from the others through a very well-organized propaganda and psychological warfare apparatus. ISIS uses websites aimed at non-Arabic speaking audiences alongside magazines, social media and video games for propaganda and recruitment (Siboni et al., 2015). ISIS understands the dilemmas that democratic societies face regarding freedom of speech and propaganda. Therefore, public awareness of ISIS propaganda and the risk of online radicalization needs to be increased.

Sensitization campaigns in schools or other forums can be organized to assist the population in recognizing propaganda and radicalization materials and maintaining a critical stance. It would also be important for state authorities and media to expose and correct misinformation campaigns in order to contain any undesirable effects they may have (Paul and Matthews, 2016).

5.2 Incentivizing social media to better control content A major issue that resulted from the posting of

fake information on the hacked Associated Press Twitter account by the SEA was the negative market reaction to the news. While the Dow Jones index soon recovered from having dropped by US$130 billion after the defacement, the consequences could have been a lot more serious. States should incentivize social media companies to improve login security and to quickly remove false information or illegal content. The aim of

such incentives would be to prevent the repetition of events similar to the Associated Press Twitter account hack and its results. Some states are already thinking about incentives of this nature. The United Kingdom and Germany are considering fining social media companies that fail to remove posts promoting violence against a particular group, terrorism or extremism promptly. They argue that it is not a measure that restricts free speech, but rather a way to prevent the promotion of illegal activities (Bowcott, 2017).

5.3 Improving cybersecurity A large number of cyberattacks carried out

during the Syrian civil war used spear phishing emails to infect computers or steal login credentials, and it is therefore recommended to increase awareness of this issue through education programs and technical solutions. Users need a better understanding of the consequences such emails and malicious intrusions into computer systems can have. Equipped with this kind of knowledge, it is hoped that computer users would use their devices more cautiously. Sensitization campaigns could be used to teach people how to recognize fake emails and how to be more careful before clicking on links or opening attachments, enabling them to identify malicious emails more easily. Institutions could also establish simple standard operating procedures for reporting malicious emails in order to react quickly and minimize damage.

Technological solutions to assist users in recognizing spear phishing emails include requesting partners to implement email authentication systems such as the Sender Policy Framework (SPF). This framework supports users in identifying spear phishing emails by certifying the authenticity of senders’ IP addresses. Another technical solution could be to use two-factor authentication systems, which can prevent malicious actors from logging in with stolen login credentials, as it is normally only possible to steal one of the two factors required during the login process.

5.4 Monitoring the evolution of the conflict The conflict has already lasted six years and is still

ongoing. There have been various changes in the actors involved and in international interventions. There have also been several failed attempts at building durable peace in Syria through various negotiations. The situation develops quickly, both on the ground and in cyberspace. The SEA was an important online actor during the early stages of the war but has now disappeared from cyberspace. ISIS arrived later in the conflict but has been quite active in cyberspace with activities focusing mainly on propaganda and publicity rather than causing actual damage. Currently, ISIS’


21

financial resources are strained, and the group’s territory is shrinking. States should therefore monitor this Islamist group’s online actions closely, as it might be tempted to raise money through cybercrime activities (Graham-Harrison, 2015). Just as the SEA turned to cybercrime after the seizure of its website domain name by Network Solutions LLC in 2013, the Cyber Caliphate and ISIS might choose to finance their operations on the ground by targeting businesses or individuals with cybercrime tools. Iran also positioned itself as an important actor in cyberspace in the region. It has provided assistance to the Syrian government and needs to be monitored to support an analysis of its threat potential to other countries. International intervention is currently limited to airstrikes and training, but actors with significant cyber capabilities such as Russia, the USA, Israel or Iran may be tempted to intervene, if the situation changes on the ground or in cyberspace.


22

6 Annex 1

Non-exhaustive table of the various cyberattacks observed in the Syrian conflict:

G = Government and pro-government groups, A = Anti-Government groups, I = Islamist groups, S = Other states, O = Third-party organizations, M = Media outlets

Date Victim Type of victim

Alleged perpetrator

Technique/Tool

05.2011 OrientTV M SEA DDoS (Fisher and Keller, 2011) 16.05-19.06.2011

Hundreds of websites M/O SEA Defacement (OpenNet Initiative and InfoWar Monitor, 2011)

05.2011 Email account of Syrian President al-Assad and his wife

G SCR Account access by obtaining the login credentials from someone close to the Assad family (Booth et al., 2012) or guessing the password, which was “1234” (Ahmad, 2012)

05.2011 Opposition Facebook pages

A SEA Data breach and spamming (OpenNet Initiative and InfoWar Monitor, 2011)

06.2011 Opposition forces’ Facebook pages

A SEA Defacement and posting of pro-Assad messages on the Facebook pages (OpenNet Initiative and InfoWar Monitor, 2011)

24.06.2011 French embassy website

S SEA Defacement (OpenNet Initiative and InfoWar Monitor, 2011)

07.2011 Syrian Ministry of Defense

G Anonymous Defacement (Fisher and Keller, 2011)

07.2011 University of California website

O SEA Defacement (Warren and Leitch, 2016)

23.07.2011 Anonymous social media named AnonPlus

O SEA Data breach (Fisher and Keller, 2011)

29.08.2011 The Atlantic website M SEA Spamming and trolling (Fisher and Keller, 2011)

30.08.2011 Wrong Facebook profile of Columbia University

O SEA Defacement (Fisher and Keller, 2011)

26.09.2011 Harvard University website

O SEA Defacement (Coughlan, 2011)

02.2012 Syrian State TV Station network Addounia

G/M Opposition forces

Infiltration of the text-message service (Weiss, 2012)

28.02.2012 Qatar Foundation Twitter account

S SEA Account access and posting of false information (Al-Rawi, 2014, p. 423)

02.2012 Al Jazeera English M SEA Defacement (Pattar, 2013) 04.2012 Al Arabyia Twitter

account M SEA Account access and posting of false

information (Pattar, 2013) 26.04.2012 LinkedIn blog website M SEA Defacement (Messieh, 2012) 07.2012 Al Jazeera Twitter

account M SEA Phishing to obtain login credentials,

posting of pro-government messages and false information (Pattar, 2013)

07.2012 Opposition force members

A SEA Data breach and leak of information (Warren and Leitch, 2016).

07.2012 Syrian government G Anonymous Data breach and leak (Apps, 2012)


23


Alleged perpetrator

Technique/Tool

03.08.2012 Reuters website and blog

M SEA Phishing to obtain login credentials, posting of pro-government messages and false information (Pattar, 2013)

05.08.2012 Reuters website, blog and Twitter account

M SEA Phishing to obtain login credentials, posting of pro-government messages and false information (Pattar, 2013)

06.08.2012 A Russian official's Twitter account

S Opposition forces

Account access and posting of false information (Apps, 2012)

09.2012 Al Jazeera Arabic M SEA Phishing to obtain login credentials, posting of pro-government messages and false information (Pattar, 2013)

11.2012 Opposition forces A Unknown Start of phishing campaign using DarkComet RAT malware (Galperin and Marquis-Boire, 2012)

01.2013 Opposition forces A Unknown Phishing campaign disseminating a malicious link through a pro-opposition YouTube video (Scott-Railton and Marquis-Boire, 2013)

03.02.2013 Ministry of Transport of Israel

S SEA Data breach (Bertram, 2017)

07.02.2013 Sky News Arabia M SEA Defacement (Bertram, 2017) 26.02.2013 Agence France-Presse

Twitter account M SEA Posting of false information (Bertram,

2017) 01.03.2013 Qatar Foundation

Twitter account O SEA Posting of false information (Bertram,

2017) 04.03.2013 France24 TV Twitter

account M SEA Phishing to obtain login credentials,

posting of pro-government messages and false information (Hopkins and Harding, 2013)

17.03.2013 Human Rights Watch website and Twitter account

O SEA Defacement and posting of false information (Bertram, 2017)

21.03.2013 BBC Weather, BBC Arabic and BBC Ulster Radio Twitter accounts

M SEA Phishing to obtain login credentials, posting of pro-government messages and false information (Tam, 2013)

03.2013 The Daily Telegraph Twitter account

M SEA Phishing to obtain login credentials, posting of pro-government messages and false information (Taylor, 2013)

15.04.2013 US National Public Radio website and Twitter account

M SEA Defacement, posting of false information and data breach (Hopkins and Harding, 2013)

20.04.2013 Gamerfood (software company) website


20.04.2013 CBS News Twitter account

M SEA Posting of false information (Bertram, 2017)

22.04.2013 Sepp Blatter (former President of the International Federation of Association Football) Twitter account

O SEA Phishing and posting of false information (Hopkins and Harding, 2013)

23.04.2013 Associated Press Twitter account

M SEA Phishing and posting of false information (Harris, 2013)


24


Alleged perpetrator

Technique/Tool

29.04.2013 The Guardian M SEA Phishing to obtain login credentials, posting of pro-government messages and false information (Hopkins and Harding, 2013)

03.05.2013 Qatar Armed Forces S SEA Data breach (Bertram, 2017) 04.05.2013 E! Online Twitter

account M SEA Posting of false information (Bertram,

2017) 06.05.2013 The Onion webpage

and Twitter account M SEA Phishing and defacement (Kerr, 2013)

17.05.2013 Financial Times webpage and Twitter account

M SEA Phishing and defacement (Pattar, 2013)

24.05.2013 ITV Twitter account M SEA Phishing to obtain login credentials, posting of pro-government messages and false information (Warren and Leitch, 2016)

25.05.2013 The Android app from Sky News

M SEA The app was compromised and defaced (Warren and Leitch, 2016)

05.06.2013 Turkish government networks

S SEA Data breach (Bertram, 2017)

18.06.2013 Syrian state-owned Addounia TV Channel website

G/M JNEA Defacement (SecDev Foundation, 2013b)

06.2013 Opposition forces A Unknown The Freegate (VPN tool) software was repackaged to deliver the ShadowTech Trojan (Scott-Railton and Marquis-Boire, 2013)

16.07.2013 Truecaller (international telephone directory)

O/A SEA Data breach (Geers and Alqartah, 2013)

19.07.2013 Reuters Twitter account

M SEA Posting of false information (Bertram, 2017)

21.07.2013 Tango (video and text messaging service)

O/A SEA 1.5 terabytes of stolen data (Geers and Alqartah, 2013)

23.07.2013 Daily Dot News website

M SEA Defacement (Bertram, 2017)

24.07.2013 Viber (Telephone services)

O/A SEA Phishing to obtain login credentials and data breach (Geers and Alqartah, 2013)

06.08.2013 Channel4 Blog M SEA Defacement (Bertram, 2017) 14.08.2013 Facebook page of an

anti-government Syrian cleric

A ENDF Posting of malicious link (SecDev Foundation, 2013a)

15.08.2013 Outbrain (advertising service)

O SEA Spear phishing and defacement (Warren and Leitch, 2016)

20.08.2013 Facebook page of an anti-government group

A ENDF Defacement (SecDev Foundation, 2013a)

21.08.2013 ShareThis website O SEA Defacement (Bertram, 2017) 24.08.2013 Facebook page of an

anti-government group A ENDF Defacement (SecDev Foundation, 2013a)

27.08.2013 The New York Times website

M SEA Defacement by DNS hijacking (Harris, 2013)

29-30.08.2013 The New York Times website



25


Alleged perpetrator

Technique/Tool

29-30.08.2013 The Huffington Post British website

M SEA Defacement by DNS hijacking (Manning and Grubb, 2013)

29-30.08.2013 The Twitter images (Twimg.com) website


08.2013 SEA G Anonymous Data breach and leak of stolen information (Steier, 2013)

09.2013 Opposition forces A Unknown Infection campaign with njRAT through a Facebook page (Galperin et al., 2013)

02.09.2013 US Marine Corp recruitment webpage

S SEA Defacement (Harris, 2013)

11.09.2013 Several Fox News Twitter accounts

M SEA Account access and posting of false information (Bertram, 2017)

13.09.2013 Computer of a regional commander of the Syrian National Defense Forces

G JNEA Data breach (SecDev Foundation, 2013b)

14.09.2013 Opposition forces A Unknown A malicious link on a pro-opposition Facebook page caused the njRAT malware to download (Galperin et al., 2013)

30.09.2013 The Global Post website and Twitter account

M SEA Posting of false information and deletion of website contents (Chuck, 2013)

07.10.2013 NGO A Unknown, possibly Jabhat al-Nusra

Phishing email containing a video with XtremeRAT malware (Galperin et al., 2013)

14.10.2013 Opposition forces A Unknown, possibly Jabhat al-Nusra

Phishing email containing a message with XtremeRAT malware (Galperin et al., 2013)

21.10.2013 Qatar Domain Name System

O SEA Hack (Bertram, 2017)

28.10.2013 Organization for Action Gmail account

O SEA Defacement redirecting towards Barack Obama’s Facebook and Twitter accounts (Warren and Leitch, 2016)

09.11.2013 Vice webpage M SEA Phishing and defacement (Warren and Leitch, 2016)

12.11.2013 Matthew VanDyke (US news reporter) Twitter account and email

M SEA Hack (Bertram, 2017)

15-18.11.2013 Anti-Shabiha (Alawite militia) website

A SEA Defacement (Bertram, 2017)

29.11.2013 Time Magazine M SEA Defacement (Bertram, 2017) 11.2013 Opposition forces,

media activists and humanitarian aid workers in Syrian

A Unknown, possible links with Lebanon

Start of malware campaign using female avatar on Skype to lure victims into downloading malicious documents (Regalado et al., 2015)

01.01.2014 Skype website, Facebook and Twitter accounts

O SEA Phishing to obtain login credentials and posting of false information (Warren and Leitch, 2016)

11.01.2014 Xbox Twitter accounts O SEA Defacement (Warren and Leitch, 2016) 15.01.2014 15 Saudi government

websites S SEA Hack (Bertram, 2017)

15.01.2014 A state-owned Saudi magazine

M SEA Hack (Bertram, 2017)


26


Alleged perpetrator

Technique/Tool

22.01.2014 Microsoft Office blog website


23.01.2014 CNN Twitter account M SEA Defacement (Warren and Leitch, 2016) 03.02.2014 EBay website O SEA Hack (Warren and Leitch, 2016) 03.02.2014 PayPal website O SEA Hack (Warren and Leitch, 2016) 06.02.2014 Facebook website O SEA Defacement by DNS hijacking (Warren and

Leitch, 2016) 14.02.2014 Forbes website M SEA Phishing to obtain login credentials and

posting of false information (Warren and Leitch, 2016)

17.02.2014 Forbes employees and users

M SEA Data breach of about one million email addresses and passwords from Forbes users and employees (Bertram, 2017)

11.03.2014 Opposition forces A Unknown The Psiphon software (censorship circumvention tool) was repackaged to stealthily deliver the njRAT malware (Scott-Railton, 2014)

12.03.2014 3 FC Barcelona Twitter accounts

O SEA Hack and defacement probably because of the club’s ties to Qatar (Bertram, 2017)

14.03.2014 US Central Command S SEA Defacement (Rosenblatt, 2015) 26.04.2014 RSA Conference

website O SEA Defacement (Bertram, 2017)

06.05.2014 The Wall Street Journal Twitter account

M SEA Defacement (Bertram, 2017)

18.06.2014 The Sun webpage M SEA Hack (Warren and Leitch, 2016) 18.06.2014 The Sunday Times

webpage M SEA Hack (Warren and Leitch, 2016)

22.06.2014 Reuters webpage M SEA Hack (Warren and Leitch, 2016) 30.06.2014 Israel Defense Forces

blog website S SEA Defacement (Bertram, 2017)

04.07.2014 Israel Defense Forces Twitter account

S SEA Posting of false information (Bertram, 2017)

02.10.2014 UNICEF Twitter account

O SEA Posting of false information (Bertram, 2017)

27.11.2014 Gigya comment system M/O SEA Disruption to the proper functioning of hundreds of websites (Brinded, 2014)

11.2014 Citizen journalists posting on the website Raqqah Is Being Slaughtered Silently

M Allegedly ISIS Spear phishing and malware (Scott-Railton and Hardy, 2014)

16.12.2014 International Business Times website

M SEA Hack and defacement (Gold, 2015)

2015 Opposition forces A Syrian Government

The Syrian government developed and used an internet surveillance tool using the malware Backdoor.breut (Zaluski, 2016)

01.2015 US Central Command YouTube and Twitter accounts

S Cyber Caliphate (ISIS)

Defacement (Coffey, 2015)

21.01.2015 Le Monde website M SEA DDoS (Warren and Leitch, 2016) 10.02.2015 International Business

Times website M Cyber Caliphate

(ISIS) Defacement (Gold, 2015)


27


Alleged perpetrator

Technique/Tool

10.02.2015 Newsweek Twitter account and a subsidiary Newsweek Tumblr website

M Cyber Caliphate (ISIS)

Defacement and posting of false information (Mosendz, 2015)

12.02.2015 Syrian Observatory for Human Rights Facebook page

O SEA Defacement (Bertram, 2017)

30.03.2015 Endurance International Group INC (a world-leading web hosting service)

O SEA Hack (Bertram, 2017)

13.04.2015 Australian airport website

O ISIS Defacement

14.05.2015 Washington Post M SEA Defacement (Bertram, 2017) 08.06.2015 US Army website S SEA Defacement (Weise, 2015) 10.2015 Opposition forces A Group5,

possible links with Iran

Spear phishing campaign to lure opposition members into downloading malicious documents and visiting malicious websites (Scott-Railton et al., 2016)

08.11.2015 54’000 Twitter accounts (mostly based in Saudi Arabia)

O Cyber Caliphate (ISIS)

Posting of pro-ISIS messages, publication of account passwords and phone numbers of the directors of the US Central Intelligence Agency, the FBI and the US National Security Agency (Bhutia, 2015)


28

7 Annex 2 Table of cyberattacks detailing the actors, their targets, the types of attacks used, infection methods used and malware families used in the context of the Syrian conflict.

X = Targets or uses, - = Does not target or does not use, ? = possibly targets or possibly uses

Targets Types of cyberattacks Delivery means Malware families

Actors Syria

n go

vern

men

t for

ces

Pro-

gove

rnm

ent g

roup

s

Anti-

gove

rnm

ent g

roup

s

Isla

mist

gro

ups

Third

-par

ty st

ates

Third

-par

ty o

rgan

izatio

ns

Med

ia

Pro

paga

nda

and

misi

nfor

mat

ion

Defa

cem

ent

DDoS

RAT

mal

war

e

Data

bre

ach/

Leak

Wat

erin

g ho

le

Phish

ing/

spea

r phi

shin

g

Web

site

vuln

erab

ilitie

s

Oth

ers (

e.g.

USB

-driv

e,)

njRA

T

Xtre

meR

AT

Blac

kWor

m

Dark

Com

et R

AT

Back

door

.bre

ut

Andr

oid

mal

war

e

Oth

er m

alw

are

fam

ilies

17

Gove

rnm

ent a

nd p

ro-g

over

nmen

t gr

oups

Syrian government - - X - - - - X - X X - X - - X X - - - X - -

SEA - - X - X X X X X X X - - X X - X X - X - - -

SMT - - X - - - - - - - X - - - - - - - X - - - -

EDNF - - X - - - - X X - - - X X - - - - - - - - - Pro-government Lebanese group - - X - - - - - - - X - - - - - - - - X - X -

Group5 - - X - - - - - - - X - X X - - X - - - - X X Government sympathizers/ patriotic hackers

- - ? - - - - X - - - - - - ? - - - - - - - -

Anti-

gove

rnm

ent

grou

ps

FSA X X - - - - X - - - - - - - - - - - - - - - -

SCR X X - - - - - - - - - - - - - - - - - - - - -

HSR X ? - - - - - - - - - X - - - - - - - - - - - Anti-government sympathizers/activists X X - - - - - X - - - - - - - - - - - - - - -

Isla

mist

gro

ups ISIS/Cyber Caliphate - - X - X X - X X X - - - X X - - - - - - - ?

Jabhat al-Nusra X X ? - - ? - - X - X X - X - - - X - - - - -

Ahrar al-Sham X X X ? - - - - ? - - - - - - - - - - - - - -

Islamist sympathizers - - - - X - - X X - - - - - X - - - - - - - -

Stat

e ac

tors

USA ?18 - - ? - - - - - - - - - - - - - - - - - - -

Russia - - X - - X - X - - X - - X - - - - - - - - X

Turkey - - - - - - - - - - - - - - - - - - - - - - -

Iran - - X - - - - - - - X - - X - - - - - - - - X

Israel - - - - - - - - - - - - - - - - - - - - - - -

Saudi - - - - - - - - - - - - - - - - - - - - - - - United Arabic Emirates - - - - - - - - - - - - - - - - - - - - - - -

Qatar - - - - - - - - - - - - - - - - - - - - - - -

Non

-al

igne

d Anonymous X X - X X - - - X X - X - - - - - - - - - - X

Oliver Tucket X - - - - - - - X - - X - - ? ? - - - - - - -

17 Includes the malware: NanoCore, ShadowTech RAT, BlackShades RAT (= Shades RAT) and the “beacon malware”. 18 USA considered using cyber capabilities against the Syrian regime (Sanger, 2014).


29

8 Glossary

Backdoor: Part of a software code allowing hackers to remotely access a computer without the user’s knowledge (Ghernaouti-Hélie, 2013, p. 426).

Botnet: Network of infected computers which can be accessed remotely and controlled centrally in order to launch coordinated attacks (Ghernaouti-Hélie, 2013, p. 427).

Command and Control (C&C): A server through which the person controlling malware communicates with it in order to send commands and retrieve data (QinetiQ Ltd, 2014, p. 2).

Data breach: Event in which information of a sensitive nature is stolen from a network without the users’ knowledge (TrendMicro, 2017).

Digital gateway: A hardware device that enables traffic to flow in and out of two networks by connecting them (TechTerms, 2015).

Distributed Denial of Service (DDoS): Act of overwhelming a system with a large number of packets through the simultaneous use of infected computers (Ghernaouti-Hélie, 2013, p. 431).

Domain Name Service (DNS): The address structure that translates Internet Protocol addresses into a string of letters that is easier to remember and use (Internet Corporation For Assigned Names and Numbers, 2016).

Domain Name System (DNS) hijacking: A form of website defacement also referred to as DNS redirection, where a malicious attacker obtains unauthorized access to victims’ computers and changes their DNS settings to another DNS server, which redirects victims to malicious websites (Srikanth, 2017).

Firewall: Software for controlling and possibly blocking incoming and outgoing traffic in and from a network or personal computer (PCmag, 2016a).

Hack: Act of entering a system without authorization (Ghernaouti-Hélie, 2013, p. 433).

Hacktivism: Use of hacking techniques for political or social activism (Ghernaouti-Hélie, 2013, p. 433)

Internet Protocol (IP) address: A numerical address assigned to each device that uses the internet communications protocol, allowing computers to communicate with one another (Internet Corporation For Assigned Names and Numbers, 2016).

Malware: Malicious software that can take the form of a virus, a worm or a Trojan horse (Collins and McCombie, 2012, p. 81).

Patriotic hacking: Sometimes also referred to as nationalistic hacking. A group of individuals originating from a specific state engage in cyberattacks in defense against actors that they

perceive to be enemies of their country (Denning, 2011, p. 178).

Phishing: Technique used to trick a message recipient into disclosing confidential information such as login credentials by disguising messages to suggest that they originate from a legitimate organization (Ghernaouti-Hélie, 2013, p. 437).

Remote Administration or Access Tool (RAT): Software granting remote access and control to a computer without having physical access to it. RAT can be legitimate software, but also malicious (Siciliano, 2015).

Script kiddies: Attackers who use cybertools that have been developed by more experienced and sophisticated hackers. Their main motive is to gain attention (PCtools, 2016).

Sender Policy Framework (SPF): Technical system validating email senders as coming from an authenticated connection in order to prevent email spoofing (Openspf, 2010).

Spamming: Messages, comments or posts sent in large quantities via email or on social media (Ghernaouti-Hélie, 2013, p. 440).

Spear phishing: A sophisticated phishing technique that not only imitates legitimate webpages, but also selects potential targets and adapts malicious emails to them. Emails often look like they come from a colleague or a legitimate company (Ghernaouti-Hélie, 2013, p. 440).

SQL Injection: A cyberattack technique in which malicious code is injected into an entry field for execution and is executed by an SQL database (Microsoft, 2016).

Trojan horse: Malware hidden in a legitimate program in order to infect a system and hijack it (Ghernaouti-Hélie, 2013, p. 441).

Troll: A person submitting provocative statements or articles to an internet discussion in order to create discord and drag more people into it (Williams, 2012).

Two-factor authentication: A login procedure that involves two out of the following three elements: something the user knows (e.g. password), something the user has (e.g. card), and something the user is (e.g. biometric) (Rosenblatt and Cipriani, 2015).

Virtual Private Network (VPN): Private network within a public network that uses encryption to remain private (PCmag, 2016b).

Watering hole attacks: Attack where a legitimate website is injected with malicious code that redirects users to a compromised website which infects users accessing it (TechTarget, 2015).

Website defacement: Cyberattack replacing website pages or elements by other pages or elements (Ghernaouti-Hélie, 2013, p. 442).


30

9 Abbreviations

C&C Command and Control

DDoS Distributed Denial of Service

DNS Domain Name System

ENDF Electronic National Defense Forces (Pro-government group)

EU European Union

FBI US Federal Bureau of Investigation

FSA Free Syrian Army (Anti-government group)

HSR Hackers of the Syrian Revolution (Anti-government group)

IP Internet Protocol

IRGC Islamic Revolutionary Guard Corps (Iran)

ISIS Islamic State of Iraq and the Levant (Islamist group)

JNEA Jabhat al-Nusra Electronic Army (Islamist group)

NGO Non-Governmental Organization

RAT Remote Access/Administration Tool

SCR The Supreme Council of the Revolution (Anti-government group)

SCS Syrian Computer Society

SCSR The Supreme Council of the Syrian Revolution (Anti-government group)

SEA Syrian Electronic Army (Pro-government group)

SMT Syrian Malware Team (Pro-government group)

SNC The Syrian National Council (Anti-government coalition)

SPF Sender Policy Framework

STE Syrian Telecommunications Establishment

UN United Nations

VPN Virtual Private Network


31

10 Bibliography

Ahmad, M. al-Makki, 2012. How I Hacked Assad’s E-Mail [WWW Document]. Al-Monit. URL http://www.al-monitor.com/pulse/politics/2012/09/how-i-hacked-assads-emails.html (accessed 17.3.17).

Al Jazeera, 2017. Syria’s Civil War Explained [WWW Document]. Al Jazeera. URL http://www.aljazeera.com/news/2016/05/syria-civil-war-explained-160505084119966.html (accessed 20.3.17).

Al-Rawi, A.K., 2014. Cyber warriors in the Middle East: The case of the Syrian Electronic Army. Public Relat. Rev. 40, 420–428. doi:10.1016/j.pubrev.2014.04.005

Apps, P., 2012. Syria Crisis: Cyber War And Disinformation Growing In Conflict [WWW Document]. Huffington Post. URL http://www.huffingtonpost.com/2012/08/07/syria-cyber-war_n_1750724.html (accessed 15.2.17).

Associated Press, 2011. Syria nuclear weapons site revealed by UN investigators [WWW Document]. The Guardian. URL https://www.theguardian.com/world/2011/nov/01/syria-nuclear-arms-site-revealed (accessed 24.2.17).

BBC News, 2017a. Syria profile - Timeline [WWW Document]. BBC News. URL http://www.bbc.com/news/world-middle-east-14703995 (accessed 8.2.17).

BBC News, 2017b. Turkey “ends” Euphrates Shield campaign in Syria [WWW Document]. BBC News. URL http://www.bbc.com/news/world-middle-east-39439593 (accessed 31.3.17).

BBC News, 2017c. Syria peace talks: Sides fail to meet on first day in Geneva [WWW Document]. BBC News. URL http://www.bbc.com/news/world-middle-east-39037609 (accessed 2.3.17).

BBC News, 2016. Syria: The story of the conflict [WWW Document]. BBC News. URL http://www.bbc.com/news/world-middle-east-26116868 (accessed 24.2.17).

BBC News, 2015. Turkey’s downing of Russian warplane - what we know [WWW Document]. BBC News. URL http://www.bbc.com/news/world-middle-east-34912581 (accessed 4.10.17).

BBC News, 2013. Guide to the Syrian rebels [WWW Document]. BBC News. URL http://www.bbc.com/news/world-middle-east-24403003 (accessed 22.3.17).

BBC News, 2012. UN envoy calls for transitional government in Syria [WWW Document]. BBC News. URL http://www.bbc.com/news/world-middle-east-18650775 (accessed 24.2.17).

Bennett-Smith, M., 2012. Anonymous Declares War On Syrian Government Websites In Retaliation For Internet Blackout [WWW Document]. Huffington Post. URL http://www.huffingtonpost.com/2012/11/30/anonymous-declares-war-syrian-government-websites_n_2218447.html (accessed 20.4.17).

Berger, J.M., 2014. How ISIS Games Twitter [WWW Document]. The Atlantic. URL https://www.theatlantic.com/international/archive/2014/06/isis-iraq-twitter-social-media-strategy/372856/ (accessed 18.4.17).

Bertram, S.K., 2017. “Close enough” – The link between the Syrian Electronic Army and the Bashar al-Assad regime, and implications for the future development of nation-state cyber counter-insurgency strategies. J. Terror. Res. 8, 2. doi:10.15664/jtr.1294

Bhutia, J., 2015. Isis “Cyber Caliphate” hacks more than 54,000 Twitter accounts [WWW Document]. Int. Bus. Times. URL http://www.ibtimes.co.uk/isis-cyber-caliphate-hacks-more-54000-twitter-accounts-1527821 (accessed 20.3.17).

Blight, G., Pulham, S., Torpey, P., 2012. Arab spring: an interactive timeline of Middle East protests [WWW Document]. The Guardian. URL https://www.theguardian.com/world/interactive/2011/mar/22/middle-east-protest-interactive-timeline (accessed 24.2.17).

Booth, R., Mahmood, M., Harding, L., 2012. Exclusive: secret Assad emails lift lid on life of leader’s inner circle [WWW Document]. The Guardian. URL https://www.theguardian.com/world/2012/mar/14/assad-emails-lift-lid-inner-circle (accessed 17.3.17).

Bouckaert, P., 2013. Dispatches: Yes, it was Sarin, UN Report Says. Now What? [WWW Document]. Hum. Rights Watch. URL https://www.hrw.org/news/2013/09/16/dispatches-yes-it-was-sarin-un-report-says-now-what (accessed 24.2.17).

Bowcott, O., 2017. Social media firms must face heavy fines over extremist content – MPs [WWW Document]. The Guardian. URL https://www.theguardian.com/media/2017/may/01/social-media-firms-should-be-fined-for-extremist-content-say-mps-google-youtube-facebook (accessed 3.5.17).

Brinded, L., 2014. Syrian Electronic Army Causes Internet Chaos By Shutting Down Media Outlets via Gigya Platform Hack [WWW Document]. Int. Bus. Times. URL http://www.ibtimes.co.uk/syrian-electronic-army-causes-internet-chaos-by-shutting-down-media-outlets-1476948 (accessed 6.3.17).


32

Calpito, D., 2015. Anonymous’ Total War On ISIS More Harmful Than Helpful, Warns Experts [WWW Document]. Tech Times. URL http://www.techtimes.com/articles/109489/20151124/anonymous-total-war-on-isis-more-harmful-than-helpful-warns-experts.htm (accessed 20.4.17).

Chuck, E., 2013. GlobalPost hacked by Syrian Electronic Army [WWW Document]. NBC News. URL http://www.nbcnews.com/news/other/globalpost-hacked-syrian-electronic-army-f8C11320008 (accessed 6.3.17).

Chulov, M., 2012. Syria shuts off internet access across the country [WWW Document]. The Guardian. URL https://www.theguardian.com/world/2012/nov/29/syria-blocks-internet (accessed 24.2.17).

Cimpanu, C., 2016. Syrian Electronic Army Hacker Pleads Guilty to Online Extortion Charges [WWW Document]. Softpedia. URL http://news.softpedia.com/news/syrian-electronic-army-hacker-pleads-guilty-to-online-extortion-charges-508804.shtml (accessed 13.2.17).

Clarke, C.P., 2016. Al Nusra Is Stronger Than Ever [WWW Document]. RAND Corp. URL http://www.rand.org/blog/2016/11/al-nusra-is-stronger-than-ever.html (accessed 19.4.17).

Coffey, L., 2015. Syria’s online battlefield [WWW Document]. Al Jazeera. URL http://www.aljazeera.com/indepth/opinion/2015/06/syria-online-battlefield-150617072048625.html (accessed 13.2.17).

Collins, S., McCombie, S., 2012. Stuxnet: the emergence of a new cyber weapon and its implications. J. Polic. Intell. Count. Terror. 7, 80–91. doi:10.1080/18335330.2012.653198

Coughlan, S., 2011. Harvard website hacked by Syria protesters [WWW Document]. BBC News. URL http://www.bbc.com/news/education-15061377 (accessed 13.2.17).

Deegan, A., Khalid, Y., Kingue, M., Taboada, A., 2017. Cyber-ia: The Ethical Considerations Behind Syria’s Cyber-War. Small Wars J.

Denning, D.E., 2011. Cyber Conflict as an Emergent Social Phenomenon, in: Corporate Hacking and Technology-Driven Crime: Social Dynamics and Implications. Holt and Schell, pp. 170–186.

Duggan, P.M., 2015. Strategic Development of Special Warfare in Cyberspace. Jt. Force Q. 79, 46–53.

Fisher, M., Keller, J., 2011. Syria’s Digital Counter-Revolutionaries [WWW Document]. The Atlantic. URL https://www.theatlantic.com/international/archive/2011/08/syrias-digital-counter-revolutionaries/244382/ (accessed 8.2.17).

Gady, F.-S., 2013a. Syria: Preparing for the Cyber Threat [WWW Document]. Natl. Interest. URL http://nationalinterest.org/commentary/syria-preparing-the-cyber-threat-8997 (accessed 9.3.17).

Gady, F.-S., 2013b. What Would Cyber-War With Syria Look Like? [WWW Document]. US News. URL https://www.usnews.com/opinion/blogs/world-report/2013/09/13/what-the-spanish-civil-war-tells-us-about-syria-and-cyber-attacks (accessed 9.3.17).

Gallagher, S., 2013. Network Solutions seizes over 700 domains registered to Syrians [WWW Document]. Ars Tech. URL https://arstechnica.com/tech-policy/2013/05/network-solutions-seized-over-700-domains-registered-to-syrians/ (accessed 3.4.17).

Galperin, E., Marquis-Boire, M., 2012. The Internet is Back in Syria and So is Malware Targeting Syrian Activists [WWW Document]. Electron. Front. Found. URL https://www.eff.org/deeplinks/2012/12/iinternet-back-in-syria-so-is-malware (accessed 21.2.17).

Galperin, E., Marquis-Boire, M., Scott-Railton, J., 2013. Quantum of Surveillance: Familiar Actors and Possible False Flags in Syrian Malware Campaigns. Electronic Frontier Foundation.

Geers, K., Alqartah, A., 2013. Syrian Electronic Army Hacks Major Communications Websites [WWW Document]. FireEye. URL https://www.fireeye.com/blog/threat-research/2013/07/syrian-electronic-army-hacks-major-communications-websites.html (accessed 21.2.17).

Ghernaouti-Hélie, S., 2013. Cyberpower: crime, conflict and security in cyberspace, 1. ed. ed, Forensic sciences. EPFL Press, Lausanne.

Gold, H., 2015. Newsweek’s Twitter account hacked [WWW Document]. PoliticoMagazine. URL http://www.politico.com/blogs/media/2015/02/newsweeks-twitter-account-hacked-202380 (accessed 16.2.17).

Graham-Harrison, E., 2017. Assad says Syria chemical attack that killed dozens is “fabrication” [WWW Document]. The Guardian. URL https://www.theguardian.com/world/2017/apr/13/assad-says-syria-chemical-attack-khan-sheikhun-fabrication (accessed 18.4.17).

Graham-Harrison, E., 2015. Could Isis’s “cyber caliphate” unleash a deadly attack on key targets? [WWW Document]. The Guardian. URL https://www.theguardian.com/world/2015/apr/12/isis-cyber-caliphate-hacking-technology-arms-race (accessed 13.4.17).


33

Grohe, E., 2015. The Cyber Dimensions of the Syrian Civil War: Implications for Future Conflict. Comp. Strategy 34, 133–148. doi:10.1080/01495933.2015.1017342

Gurcan, M., 2016. Is the Islamic State planning a cyber-caliphate? [WWW Document]. Al-Monit. URL http://www.al-monitor.com/pulse/originals/2016/07/turkey-syria-isis-cyber-space-turkish-content.html (accessed 4.4.17).

Haid, H., 2016. How Syrians View Nusra’s Split from al-Qaeda [WWW Document]. Atl. Counc. URL http://www.atlanticcouncil.org/blogs/syriasource/how-syrians-view-nusra-s-split-from-al-qaeda (accessed 19.4.17).

Hamill, J., 2014. Anonymous Hacktivists Prepare For Strike Against ISIS “Supporters” [WWW Document]. Forbes. URL https://www.forbes.com/sites/jasperhamill/2014/06/27/anonymous-hacktivists-prepare-for-strike-against-isis-supporters/#34af16bb3d7e (accessed 20.4.17).

Harris, S., 2013. How did the Syrian Electronic Army suddenly get so good? [WWW Document]. Syd. Morning Her. URL http://www.smh.com.au/it-pro/security-it/how-did-the-syrian-electronic-army-suddenly-get-so-good-20130905-hv1m8.html (accessed 13.2.17).

Hopkins, N., Harding, L., 2013. Pro-Assad Syrian hackers launching cyber-attacks on western media [WWW Document]. The Guardian. URL https://www.theguardian.com/world/2013/apr/29/assad-syrian-hackers-cyber-attacks (accessed 3.3.17).

Internet Corporation For Assigned Names and Numbers, 2016. Glossary [WWW Document]. ICANN. URL https://www.icann.org/resources/pages/glossary-2014-02-03-en#i (accessed 4.11.16).

Jones, S., 2016. Russia steps up Syria cyber assault [WWW Document]. Financ. Times. URL https://www.ft.com/content/1e97a43e-d726-11e5-829b-8564e7528e54 (accessed 2.5.17).

Kaspersky Lab, 2014. Syrian Malware, the ever-evolving threat (No. 1.0). Kaspersky Lab HQ.

Kenig, R., 2013. How Much Can a DDoS Attack Cost Your Business? [WWW Document]. Radware Blog. URL https://blog.radware.com/security/2013/05/how-much-can-a-ddos-attack-cost-your-business/ (accessed 23.1.17).

Kerr, D., 2013. Onion’s Twitter account hacked by Syrian Electronic Army [WWW Document]. CNet. URL https://www.cnet.com/news/onions-twitter-

account-hacked-by-syrian-electronic-army/ (accessed 16.2.17).

Khalek, R., 2016. U.S. and EU sanctions are punishing ordinary Syrians and crippling aid work, U.N. Report reveals [WWW Document]. The Intercept. URL https://theintercept.com/2016/09/28/u-s-sanctions-are-punishing-ordinary-syrians-and-crippling-aid-work-u-n-report-reveals/ (accessed 2.5.17).

Klion, D., 2016. The US-Russia discord will be an ugly fact for the next President [WWW Document]. The Guardian. URL https://www.theguardian.com/commentisfree/2016/oct/09/us-russia-discord-weight-on-the-next-president-hacking-dnc-election (accessed 24.10.16).

Kobrak, M., 2017. Syrian electronic army highly likely disbanded in 2016 [WWW Document]. Intell. Obs. URL https://intelligenceobserver.com/2017/02/26/syrian-electronic-army-highly-likely-disbanded-in-2016/ (accessed 3.4.17).

Lee, B., 2016. The Impact of Cyber Capabilities in the Syrian Civil War. Small Wars J.

Liu, Y., 2017. Backdoor.Breut [WWW Document]. Symantec Secur. Response. URL https://www.symantec.com/security_response/writeup.jsp?docid=2012-021012-3004-99 (accessed 25.4.17).

Luhn, A., 2016. Russian media could almost be covering a different war in Syria [WWW Document]. The Guardian. URL https://www.theguardian.com/world/2016/oct/03/russia-media-coverage-syria-war-selective-defensive-kremlin (accessed 2.5.17).

Lund, A., 2015. Who Are the Pro-Assad Militias? [WWW Document]. Carnegie Middle East Cent. URL http://carnegie-mec.org/diwan/59215 (accessed 24.3.17).

Manning, J.W., Grubb, B., 2013. New York Times hack linked to Australian internet company, Syrian Electronic Army fingered [WWW Document]. Syd. Morning Her. URL http://www.smh.com.au/it-pro/security-it/new-york-times-hack-linked-to-australian-internet-company-syrian-electronic-army-fingered-20130827-hv1jc (accessed 13.2.17).

McElroy, D., Vahdat, A., 2013. Iranian cyber warfare commander shot dead in suspected assassination [WWW Document]. The Telegraph. URL http://www.telegraph.co.uk/news/worldnews/middleeast/iran/10350285/Iranian-cyber-warfare-commander-shot-dead-in-suspected-assassination.html (accessed 9.3.17).

Messieh, N., 2012. Hackers take down official LinkedIn blog for “spreading lies about Syria” [WWW


34

Document]. Web. URL https://thenextweb.com/me/2012/04/26/hackers-take-down-official-linkedin-blog-for-spreading-lies-about-syria/ (accessed 13.2.17).

Microsoft, 2016. SQL Injection [WWW Document]. Microsoft TechNet. URL https://technet.microsoft.com/en-us/library/ms161953(v=SQL.105).aspx (accessed 29.11.16).

Mosendz, P., 2015. Newsweek Twitter Account Hacked By Group Claiming ISIS Affiliation [WWW Document]. Newsweek. URL http://europe.newsweek.com/newsweek-twitter-account-hacked-isis-affiliated-group-305897?rm=eu (accessed 6.3.17).

Murgia, M., 2015. Could cyberattack on Turkey be a Russian retaliation? [WWW Document]. The Telegraph. URL http://www.telegraph.co.uk/technology/internet-security/12057478/Could-cyberattack-on-Turkey-be-a-Russian-retaliation.html (accessed 4.10.17).

New Jersey Cybersecurity & Communications Integration Cell, 2017. NJRat [WWW Document]. NJ Cybersecurity. URL https://www.cyber.nj.gov/threat-profiles/trojan-variants/njrat (accessed 25.4.17).

New Jersey Cybersecurity & Communications Integration Cell, 2016. DarkComet [WWW Document]. NJ Cybersecurity. URL https://www.cyber.nj.gov/threat-profiles/trojan-variants/darkcomet?rq=darkcomet (accessed 25.4.17).

Noman, H., 2011. The Emergence of Open and Organized Pro-Government Cyber Attacks in the Middle East: The Case of the Syrian Electronic Army [WWW Document]. OpenNet Initiat. URL https://opennet.net/emergence-open-and-organized-pro-government-cyber-attacks-middle-east-case-syrian-electronic-army (accessed 14.2.17).

NSFocus Inc., 2016. Distributed Denial-of-Service (DDoS) Attacks: An Economic Perspective (Whitepaper). NSFocus Inc., Santa Clara, CA.

OpenNet Initiative, InfoWar Monitor, 2011. Syrian Electronic Army: Disruptive Attacks and Hyped Targets [WWW Document]. OpenNet Initiat. URL https://opennet.net/syrian-electronic-army-disruptive-attacks-and-hyped-targets (accessed 14.2.17).

Openspf, 2010. Sender Policy Framework [WWW Document]. Send. Policy Framew. URL http://www.openspf.org/Introduction (accessed 3.1.17).

Pattar, T., 2013. Cyber attacks in the Middle East [WWW Document]. Thesigers. URL

http://thesigers.com/analysis/2013/7/29/cyber-attacks-in-the-middle-east.html (accessed 13.2.17).

Paul, C., Matthews, M., 2016. The Russian “Firehose of Falsehood” Propaganda Model: Why It Might Work and Options to Counter It (No. PE-198-OSD), Perspectives. RAND Corporation, Santa Monica, CA.

Payet, L., 2014. NanoCore: Another RAT tries to make it out of the gutter [WWW Document]. Symantec Secur. Response. URL https://www.symantec.com/connect/blogs/nanocore-another-rat-tries-make-it-out-gutter (accessed 25.4.17).

PCmag, 2016a. Definition of: firewall [WWW Document]. PCmag. URL http://www.pcmag.com/encyclopedia/term/43218/firewall (accessed 25.4.17).

PCmag, 2016b. Definition of: virtual private network [WWW Document]. PCmag. URL http://www.pcmag.com/encyclopedia/term/53942/virtual-private-network (accessed 25.4.17).

PCtools, 2016. What is a Script Kiddie? [WWW Document]. PCtools Symantec. URL http://www.pctools.com/security-news/script-kiddie/ (accessed 20.3.17).

Peterson, A., 2013. Here’s how one hacker is waging war on the Syrian government [WWW Document]. Wash. Post. URL https://www.washingtonpost.com/news/the-switch/wp/2013/08/28/heres-how-one-hacker-is-waging-war-on-the-syrian-government/?utm_term=.01464aa473c7 (accessed 20.4.17).

QinetiQ Ltd, 2014. Command & Control: Understanding, denying, detecting. QinetiQ Ltd.

Regalado, D., Villeneuve, N., Scott-Railton, J., 2015. Behind the Syrian conflict’s digital front lines, Special Report. FireEye Inc., Milpitas, CA.

Reuters, 2017. Russia and China veto UN resolution to impose sanctions on Syria [WWW Document]. The Guardian. URL https://www.theguardian.com/world/2017/mar/01/russia-and-china-veto-un-resolution-to-impose-sanctions-on-syria (accessed 31.3.17).

Reuters, 2016. Russia Withdraws Backing for International Criminal Court Treaty [WWW Document]. N. Y. Times. URL http://www.nytimes.com/reuters/2016/11/16/world/europe/16reuters-russia-icc-withdrawal.html?ref=world&_r=0 (accessed 22.11.16).

Rosenblatt, S., 2015. US military social-media accounts hacked [WWW Document]. CNet. URL https://www.cnet.com/news/us-military-


35

social-media-accounts-hit-with-hacking-attack/ (accessed 16.2.17).

Rosenblatt, S., Cipriani, J., 2015. Two-factor authentication: What you need to know (FAQ) [WWW Document]. CNet. URL https://www.cnet.com/news/two-factor-authentication-what-you-need-to-know-faq/ (accessed 14.12.16).

Ruhfus, J., 2015. Syria’s Electronic Armies [WWW Document]. Al Jazeera. URL http://www.aljazeera.com/programmes/peopleandpower/2015/06/syria-electronic-armies-150617151503360.html (accessed 13.2.17).

Sanger, D.E., 2014. Syria War Stirs New U.S. Debate on Cyberattacks [WWW Document]. N. Y. Times. URL https://www.nytimes.com/2014/02/25/world/middleeast/obama-worried-about-effects-of-waging-cyberwar-in-syria.html (accessed 15.2.17).

Scott-Railton, J., 2014. Maliciously Repackaged Psiphon Found [WWW Document]. Citiz. Lab. URL https://citizenlab.org/2014/03/maliciously-repackaged-psiphon/ (accessed 21.2.17).

Scott-Railton, J., Abdulrazzak, B., Hulcoop, A., Brooks, M., Kleemola, K., 2016. Group5: Syria and the Iranian Connection [WWW Document]. Citiz. Lab. URL https://citizenlab.org/2016/08/group5-syria/ (accessed 14.2.17).

Scott-Railton, J., Hardy, S., 2014. Malware Attack Targeting Syrian ISIS Critics [WWW Document]. Citiz. Lab. URL https://citizenlab.org/2014/12/malware-attack-targeting-syrian-isis-critics/ (accessed 20.2.17).

Scott-Railton, J., Marquis-Boire, M., 2013. A Call to Harm: New Malware Attacks Target the Syrian Opposition [WWW Document]. Citiz. Lab. URL https://citizenlab.org/2013/06/a-call-to-harm/ (accessed 21.2.17).

SecDev Foundation, 2013a. Flash Note Syria: Syria’s National Defence Forces Take The Battle to Cyberspace.

SecDev Foundation, 2013b. Flash Note Syria: Syrian Hacker Wars.

Shaheen, K., Torpey, P., Gutièrrez, P., Levett, C., 2015. Who backs whom in the Syrian conflict [WWW Document]. The Guardian. URL https://www.theguardian.com/world/ng-interactive/2015/oct/09/who-backs-whom-in-the-syrian-conflict (accessed 20.3.17).

Siboni, G., Cohen, D., Koren, T., 2015. The Islamic State’s Strategy in Cyberspace. Mil. Strateg. Aff. 7, 127–144.

Siciliano, R., 2015. What is a Remote Administration Tool (RAT)? [WWW Document]. McAfee Blog. URL

https://securingtomorrow.mcafee.com/consumer/identity-protection/what-is-rat/ (accessed 4.11.16).

Srikanth, R., 2017. DNS Hijacking: What is it and How it Works [WWW Document]. GoHacking. URL https://www.gohacking.com/dns-hijacking/ (accessed 2.3.17).

Stanford University, 2017. Ahrar al-Sham [WWW Document]. Stanf. Univ. URL http://web.stanford.edu/group/mappingmilitants/cgi-bin/groups/view/523 (accessed 23.3.17).

Steier, H., 2013. Wie die Syrian Electronic Army angriff [WWW Document]. Neue Zür. Ztg. URL https://www.nzz.ch/digital/syrian-electronic-army-sea-twitter-new-york-times-1.18140391 (accessed 13.2.17).

Syrian Network for Human Rights, 2013. Syrian security branches and Persons in charge. Syrian Network For Human Rights.

Tam, D., 2013. “Syrian Electronic Army” hacks a BBC Twitter account [WWW Document]. CNet. URL https://www.cnet.com/news/syrian-electronic-army-hacks-a-bbc-twitter-account/ (accessed 13.2.17).

Taylor, A., 2013. Syrian Hackers Take Over Daily Telegraph Twitter Accounts [WWW Document]. Bus. Insid. URL http://www.businessinsider.com/telegraph-twitter-hacked-by-sea-2013-5?IR=T (accessed 6.3.17).

TechTarget, 2015. watering hole attack [WWW Document]. TechTarget. URL http://searchsecurity.techtarget.com/definition/watering-hole-attack (accessed 29.11.16).

TechTerms, 2015. Gateway [WWW Document]. TechTerms. URL https://techterms.com/definition/gateway (accessed 2.5.17).

TrendMicro, 2017. Definition [WWW Document]. TrendMicro. URL http://www.trendmicro.com/vinfo/us/security/definition/data-breach (accessed 17.1.17).

Villeneuve, N., Bennett, J.T., 2014. XtremeRAT: Nuisance or Threat? [WWW Document]. FireEye. URL https://www.fireeye.com/blog/threat-research/2014/02/xtremerat-nuisance-or-threat.html (accessed 25.4.17).

Walker, S., Shaheen, K., Chulov, M., Wintour, P., 2016. Russian ambassador to Turkey shot dead by police officer in Ankara gallery [WWW Document]. The Guardian. URL https://www.theguardian.com/world/2016/dec/19/russian-ambassador-to-turkey-wounded-in-ankara-shooting-attack (accessed 31.3.17).

Warren, M., Leitch, S., 2016. The Syrian Electronic Army – a hacktivist group. J. Inf. Commun. Ethics


36

Soc. 14, 200–212. doi:10.1108/JICES-12-2015-0042

Weise, E., 2015. U.S. Army website hacked, Syrian group claims credit [WWW Document]. USA Today. URL http://www.usatoday.com/story/tech/2015/06/08/us-army-website-wwwarmymil-syrian-electronic-army-hack/28703173/ (accessed 6.3.17).

Weiss, M., 2012. Syrian Opposition Targets the Regime Online [WWW Document]. Wash. Inst. URL http://www.washingtoninstitute.org/policy-analysis/view/syrian-opposition-targets-the-regime-online (accessed 20.3.17).

Wilhoit, K., Haq, T., 2014. Connecting the Dots: Syrian Malware Team Uses BlackWorm for Attacks [WWW Document]. FireEye. URL https://www.fireeye.com/blog/threat-research/2014/08/connecting-the-dots-syrian-malware-team-uses-blackworm-for-attacks.html (accessed 21.2.17).

Williams, L., 2011. Syria to set Facebook status to unbanned in gesture to people [WWW Document]. The Guardian. URL https://www.theguardian.com/world/2011/feb/08/syria-facebook-unbanned-people (accessed 24.2.17).

Wintour, P., Walker, S., 2016. Vladimir Putin orders Russian forces to begin withdrawal from Syria [WWW Document]. The Guardian. URL https://www.theguardian.com/world/2016/mar/14/vladimir-putin-orders-withdrawal-russian-troops-syria (accessed 31.3.17).

World Nuclear News, 2016. Russia withdraws from US nuclear cooperation [WWW Document]. World Nucl. News. URL http://www.world-nuclear-news.org/NP-Russia-withdraws-from-US-nuclear-cooperation-07101601.html (accessed 29.11.16).

Wroughton, L., Winning, A., 2016. Syria talks in Lausanne end without breakthrough [WWW Document]. Reuters. URL http://www.reuters.com/article/us-mideast-crisis-syria-talks-idUSKBN12E2GQ (accessed 31.3.17).

Zaluski, R., 2016. Syria’s Cyberwar [WWW Document]. Cent. Strateg. Cyberspace Secur. Sci. URL http://cscss.org/CS/2016/08/20/syrias-cyberwar/ (accessed 16.2.17).

Zelin, A.Y., Lister, C., 2013. The crowning of the Syrian Islamic Front [WWW Document]. Foreign Policy. URL http://foreignpolicy.com/2013/06/24/the-crowning-of-the-syrian-islamic-front/ (accessed 23.3.17).

ZeroFOX Team, 2015. ISIS: Terror Has Gone Social [WWW Document]. ZeroFOX. URL https://www.zerofox.com/blog/islamic-state-

isis-terror-has-gone-social-infographic/ (accessed 18.4.17).


37


38


39

The Center for Security Studies (CSS) at ETH Zurich is a center of competence for Swiss and international security policy. It offers security policy expertise in research, teaching and consulting. The CSS promotes understanding of security policy challenges as a contribution to a more peaceful world. Its work is independent, practice-relevant, and based on a sound academic footing.

Documents

CSS CYBER DEFENSE PROJECT Hotspot Analysis The use of