The Islamic State in Iraq and Syria (ISIS) may be branching out into the cyber-war business: A Syrian citizen media group critical of the terrorist group was recently targeted in a customized digital attack designed to unmask their location.
According to Citizen’s Lab, the Syrian group known as Raqqah is being Slaughtered Silently (RSS) focuses its advocacy on documenting human rights abuses by ISIS elements occupying the city of Ar-Raqqah. It’s located in northern Syria and continues to be a key conflict flashpoint of the Syrian Civil War.
ISIS forces in the city have reportedly targeted the group with house raids, kidnappings and an alleged assassination. The group also faces online threats from ISIS and its supporters, including taunts that ISIS is spying on the group.
“Though we are unable to conclusively attribute the attack to ISIS or its supporters, a link to ISIS is plausible,” CL noted. “The malware used in the attack differs substantially from campaigns linked to the Syrian regime, and the attack is focused against a group that is an active target of ISIS forces.”
The unmasking attack took the form of an unsolicited spearfishing email that was carefully worded, and contained references specific to the work and interests of RSS. It contained a download link to a decoy file, which in turn contained custom malware that profiled the victim’s computer and beaconed its IP address to an email account under the attacker’s control.
The email read:
“Thank you for your efforts to deliver a true picture of the reality of life in Raqqah. As Syrians residing in Canada we are working with media because we believe in the importance of shedding light on the realities of life in Syria, and Raqqah in particular. We are preparing a lengthy news report on the realities of life in Raqqah. We are sharing some information with you with the hope that you will correct it in case it contains errors. We have prepared a map of the city of Raqqah, in addition to a preliminary report. We hope that you have a look at it with them and inform us of any errors. We also hope that if you happen to be on Facebook, you could provide us with the account of the person responsible for the campaign, if you don’t mind, so that we can communicate with him directly.
The attack infects a user who views the decoy “slideshow,” and beacons home with the IP address of the victim’s computer and details about his or her system each time the computer restarts. This behavior strongly suggests that the function of this malware is to serve as a beacon.
The evidence points to an ISIS link, the group noted. “Unlike Syrian regime-linked malware, it contains no Remote Access Trojan (RAT) functionality, suggesting it is intended for identifying and locating a target,” said CL. “Further, because the malware sends data captured by the malware to an email address, it does not require that the attackers maintain a command-and-control server online. This functionality would be especially useful to an adversary unsure of whether it can maintain uninterrupted Internet connectivity.”
This attack, which has little technical sophistication (i.e., it uses no exploits, code obfuscation or techniques to frustrate reversing, but then, many elements within ISIS are just now growing increasingly fluent in imposing control and targeting opponents using digital methods. In addition, ISIS has reportedly gained the support of at least one individual with some experience with social engineering and hacking: Junaid Hussain (aka TriCk), a former member of teamp0ison, a hacking team.
“Reports about ISIS targeting Internet cafés have grown increasingly common, and in some cases reports point to the possible use of keyloggers as well as unspecified IP sniffers to track behavior in Internet cafes,” CL reported.
“After considering each possibility, we find strong but inconclusive circumstantial evidence to support a link to ISIS,” CL said. “Whether or not ISIS is responsible, this attack is likely the work of a non-regime threat actor who may be just beginning to field a still-rudimentary capability in the Syrian conflict. The entry costs for engaging in malware attacks in a conflict like the Syrian Civil War are low, and made lower by the fact that the rule of law is nonexistent for large parts of the country.”