Black Code: Inside the Battle for Cyberspace (20 page)

Had we pursued the offer to “fight the Chinese” we would have no doubt enjoyed a lucrative and exciting, but highly unethical, set of missions. It was not the first time – and it would not be the last – that the Citizen Lab had to decide whether or not to intervene in the very world we were studying, and nor was it the first time we were confronted with the blurring worlds of cyber crime, espionage, and international warfare.

•  •  •

Another day
, another hacker exploit. Only this time the perpetrator was not Anonymous or LulzSec or any of their hacker sympathizers. In February 2012, a group called the Syrian Electronic Army (SEA) posted on Internet forums the email credentials, including usernames and passwords, of Al Jazeera journalists, as well as a series of emails purporting to show bias in their coverage of the Assad regime. We learned about this breach the same way most other concerned observers did: when the
SEA boasted about it on their Arabic Facebook page. That’s right, the SEA has a
Facebook page. In fact, the pro-regime cyber warriors have set up hundreds of them, and as soon as Facebook administrators receive a complaint about the group violating its terms of service – for inciting violence or using Facebook to disseminate links to malicious software – the offending page is removed, prompting the SEA to simply create a new page with a new domain name. (At the time of writing, the latest domain was http://www.facebook.com/SEA.P. 187.) It is an online version of Whac-A-Mole only in this case it’s not a game, it’s war.

The SEA also has a Twitter account, through which posts are made in Arabic that taunt its adversaries or boast about its latest exploit. For example, on July 5, 2012, the SEA managed to take over the Twitter account of Al Jazeera’s
The Stream –
possibly acquiring the sign-up credentials through a previous computer breach of Al Jazeera’s servers – and then took credit for the hack on its Twitter account, @Official_SEA. For a few hours on that July day, to the bemusement of many Twitterati, they used Al Jazeera’s account to turn the broadcaster’s coverage upside down: from an independent monitor of atrocities to a mouthpiece for the Assad regime.

The Citizen Lab turned its attention to the SEA when the Arab Spring blew into the streets of Damascus in early 2011. Amidst the smoke and rubble of an increasingly violent civil war – and after the UN monitors finally reported that “crimes against humanity” were being committed by the Syrian regime — another type of warfare took shape, this one through radio waves and fibre-optic cables, and over social media platforms.

Like the Tunisians, Egyptians, and Libyans, angry Syrians opposed to the dictatorial ways of their government and looking to ignite a revolution reached instinctively for the latest tools of the digital age. The anti-Assad “Day of Rage,” announced to the world through Arabic Facebook, Twitter, and on other social media platforms in February 2011, set the tone. The Syrian protesters built
on lessons learned from other digitally empowered protests, and benefited from a growing grassroots movement of technological peer support. Hacktivist groups like Telecomix and Anonymous jumped into the fray by breaking into Syrian government computers, distributing secure tools to circumvent Internet censorship, and helping expose companies that provide services to the Assad regime.
In February 2012, Anonymous broke into the email server of the Syrian Ministry of Presidential Affairs and published hundreds of emails. As usual in such domestic conflicts, neighbouring states and great powers meddled in this one, too. While Russia and China stymied UN resolutions to sanction Syria, Iran’s Revolutionary Guard’s elite signals intelligence unit roamed Syrian city streets in black vans and employed sophisticated surveillance tools to triangulate the location of dissidents using insecure satellite phones. On the other side of the battle, American and British officials provided tools and training for the armed opposition in the Free Syrian Army, while the Canadian government quietly used its diplomatic headquarters in Ankara, Turkey, to channel information to those fighting the Assad regime.

As a result of such outside support, those opposed to Assad are technologically well equipped. The latest generation mobile phones have been employed as frontline sensors, uploading atrocities for the world to witness as they occur – their shaky, hand-held videos a grim portal into the otherwise hidden spectacle of torture, suffering, and death – thus circumventing the Syrian regime’s official blackout of journalists. The Citizen Lab’s senior Middle East and North Africa – based researcher, Helmi Noman, has shared many of these these videos with our Toronto staff, translating the horrific scenes from Arabic to English so that we could understand that protesters were being buried alive at gunpoint, forced to swear allegiance to Assad while they drew their last breath; that tidy lines of corpses covered in blood-stained white sheets, some clearly
children, were the victims of deliberate Syrian military attacks on the country’s own people in its own cities.

But the familiar script of digitally enabled pro-democracy activists outflanking flat-footed tyrants, which played itself out in other theatres of the Arab Spring, never fully materialized in Syria. The Assad regime adapted and evolved, taking its counter-insurgency tactics to the virtual plane. Unlike the leaderships of Egypt and Libya, who in last-ditch acts of desperation pulled the plug on the Internet, after various ham-fisted attempts at control, Syria decided instead to actually
loosen
its grip on cyberspace. Facebook, Blogspot, YouTube, and Twitter, perennially censored by the xenophobic regime, were suddenly made available at the very moment activists took to the streets and to their mobile phones. A conciliatory gesture perhaps? An appeasement to the protesters’ demands for more free speech and access to information? More likely the powers-that-be had a more sinister strategy in mind.

Part of that sinister strategy involves surveillance. By loosening controls over particular Internet platforms – especially those used by protesters to organize – the Syrian regime acquired unparalleled insights into its adversaries’ thoughts, plans, and actions. As the conflict unfolded, reports began to surface about a dark market in high-tech equipment – the products and services coming mostly from Western firms—used by the regime. In a series of investigative reports, Bloomberg News revealed that an Italian company, Area SpA, was installing a surveillance system that would enable the Assad regime to intercept, scan, and catalogue emails flowing through the country. The report was the tip of an iceberg.

The Citizen Lab helped uncover that
routers belonging to Blue Coat Systems, an American company based in Sunnyvale, California, were widely deployed across the Internet in Syria. Our researcher Jakub Dalek discovered the Blue Coat devices by running a series of specially designed network scans, the equivalent of a digital
flashlight searching through the sewers and catacombs of Syrian Internet space looking for fingerprints of specific equipment used. The Blue Coat devices could be used to filter content and monitor communications in fine-grained detail. Under U.S. sanctions against the sale of products and services to Syria – designated a “state sponsor of terror” by the American government – any business relationship between Blue Coat and Syria was illegal.

The European hacker collective Telecomix was on the same trail as the Citizen Lab, and published reams of unfiltered data they had collected about Blue Coat. Our report was released a few days later, on November 9, 2011, and both reports led to a firestorm, including calls for a U.S. Congressional investigation into Blue Coat. The company later acknowledged the presence of their devices in Syria, but said they were shipped to the country fraudulently and without their knowledge, a dubious claim. As Blue Coat’s primary function is to monitor Internet traffic, and their devices only function properly when checking in to get updates from central Blue Coat servers, such a claim was too far-fetched to be credible. These and other revelations of high-tech surveillance equipment being imported into Syria underscored the other side of a regime that once attempted to control the Internet through censorship: targeted surveillance is far more effective.

Just as the Citizen Lab was preparing its Blue Coat report, we stumbled upon a number of Syrian government websites that were hosted on Canadian servers, including the state-backed television station, Addounia TV, that had been placed on an official sanctions list by Canada and the European Union for incitement of violence. The content being streamed online by Addounia TV claimed that the atrocities captured on film by Syrian protesters were fabrications, and it encouraged Syrians who supported Assad to take to the streets and fight back. In a bizarre twist Addounia was hosted on computers located in Montreal, and we also found that the
website of Al-Manar, the media wing of the Lebanese militant group Hezbollah, was hosted on the same Montreal-based servers, again in violation of Canadian sanctions. Reflecting on the role media have played in inciting genocide in places like Rwanda, we decided to publish our findings immediately. Called
The Canadian Connection: An Investigation of Syrian Government and Hezbullah Web Hosting in Canada
, our report no doubt caused a few red faces in Foreign Affairs and International Trade Canada, but it also underscored the complexity and difficulty of imposing effective international sanctions over cyberspace activities. Nonetheless, believing that web hosting constituted “material support” for the Syrian regime and Hezbollah, we chose to act swiftly.

•  •  •

High-tech surveillance equipment
in Syria and Syrian government web hosting in Canada were only part of the story of Syria’s metamorphosis from an Internet-phobic regime to one that embraces technology in the service of armed struggle and civil repression. The SEA’S first forays into cyber war may have been amateurish – it defaced websites, the online equivalent of graffiti; spammed the comments sections of online forums and newspapers, the actions of a pest more than a menacing army; and targeted websites and forums that appeared to have no relation whatsoever to Syria (
the website of an obscure town council in Britain, Harvard University, and so forth), juvenile acts of opportunism. Website defacements of this sort demonstrate a low level of expertise: anyone with a few hours to spare can easily Google instructions and then scan the Internet looking for low-hanging fruit, poorly patched servers waiting to be plucked and desecrated. But over time, and especially into 2012, SEA evolved, its methods becoming increasingly sophisticated.

In the spring of 2012, the Electronic Frontier Foundation started receiving
reports from inside Syria of phishing attacks on Facebook, YouTube, and other social media outlets used by Syrian dissidents. The EFF found that when users clicked on links posted on the comment sections of opposition Facebook and YouTube sites, they were taken to fake websites that encouraged them to download special software, which was then used to acquire their credentials and sometimes to take over their computers. The EFF also discovered an instance of a malicious software program hidden in images circulated among Syrians in the diaspora. Although EFF could not confirm the identity of the perpetrators, they suspected that the Syrian telecommunications ministry was behind the attacks. Meanwhile, reports of authorities using force against activists and dissident Facebook users, and demanding their login information, surfaced. In one case, a user was beaten by Syrian police, who then informed him that they had been reading his “bad comments” on Facebook. After providing his password to authorities, he was imprisoned for two weeks. Upon his release, he found that somebody had logged into his Facebook account and posted pro-regime comments in his name.

Google computer security analyst Morgan Marquis-Boire and UCLA Ph.D. student John Scott-Railton were involved in the EFF’S work, and in 2012 they contacted the Citizen Lab to suggest combining research efforts with EFF’S Eva Galperin. (Marquis-Boire and Scott-Railton later joined the Citizen Lab as research fellows.) Together, our teams have uncovered one targeted attack after another on Syrian dissidents, typically engineered by commandeering someone’s computer and using that person’s Skype or email account to trick the dissident’s network of contacts into clicking on links or opening files that contained malicious trojans. Whereas prior defacement and spam attacks had the imprecision of a sledgehammer, these attacks were more like carefully
calibrated pliers. Our researchers watched as the cyber raids became more persistent and sophisticated, using several commercial remote administration tools bundled and hidden in malicious software, which suggested significant knowledge of criminal hacking techniques. When the author of one of these tools, called Dark Comet, discovered through our published reports that his software was being repurposed by the SEA to trap dissidents, he was horrified, issued an apology, and announced that he would no longer maintain the software as a freely available product. This did little to slow down the SEA. Within days there were more attacks targeting Syrian dissidents, this time using a different commercial remote administration tool called Blackshades.

Although we found no smoking gun connecting these attacks directly to the Syrian government, the majority were clearly engineered by individuals connected to command-and-control computers operating on Syrian telecommunications networks registered in Damascus. A Citizen Lab contact with extensive dealings in the domain registration business gave us a likely set of names and Syrian-based cellphone numbers connected to the names and email addresses used to register the domains linked to the attacks, but we decided not to publish them for fear of endangering lives. Clearly, though, the Syrian government was either tacitly condoning or actively encouraging the SEA, a marked turning point in how an autocratic regime deals with a digitally mobilized opposition. Dictators have little to fear from technology: it can be their best friend.

Syria’s SEA is a curious hybrid. Not formally linked to the Syrian government, it nonetheless undertakes information operations in support of the regime, and does so at arm’s length so as to ensure plausible deniability. Its methods are not technically complex; indeed, they are run-of-the-mill and widely employed in the world of cyber crime, and they are attractive because they are cheap, easy
to use, and often enough extremely effective. This is precisely what makes the SEA case noteworthy: the methods, tools, and tradecraft of cyber crime are being repurposed and deployed by one of the world’s most repressive states in the midst of a bloody civil war,
a new model of “active defence” emerging among autocratic regimes the world over. The exploitation of cyber-crime techniques is an increasingly common state-sponsored form of military action in cyberspace, and the already percolating menace of cyber crime is morphing into a boiling cauldron of espionage, sabotage, warfare, and repression.