Paris-Syrian opposition activist Noura Al-Ameer was combing through her emails late one night when a message caught her eye. The sender was “Assadcrimes” and he promised information about Iranian meddling in the Middle East. But the email seemed odd.
Al-Ameer turned to her husband, cybersecurity trainer Bahr Abdul Razzak, in their small, book-cluttered home in the Turkish city of Gaziantep.
“Have you heard of this group before?” Al-Ameer asked.
“No,” he said. “But let me check the email.”
Abdul Razzak, a fellow at internet watchdog group Citizen Lab, quickly determined that the group was bogus. The email, sent on Oct. 3 last year, was an electronic trap — one of hundreds of malicious messages that have flown back and forth as rebels grapple with the regime of Bashar Assad in Syria. This one had been aimed at snaring Al-Ameer in particular; the website registered by the hacker was in her name, suggesting an attempt to steal her identity.
Al-Ameer is a well-known opposition figure, and stealing her data or her identity could have been the jumping off point to attack other Syrians in and out of the country.
As Abdul Razzak and his colleagues tried to trace the hackers, they found a trail of digital clues leading to Iran. Their story — detailed in a report issued Tuesday by Citizen Lab, an interview with the couple and conversations with outside experts — raise the possibility that Iran has gone beyond sending men and materiel to tip the scale in Assad’s favor.
The country’s hackers may have joined the fray as well.
“It’s not a shock,” said Al-Ameer, a 29-year-old who spent six months in Syrian regime detention before moving to Turkey in 2013. “They’re fighting our people on the ground. I think it’s normal for any side that fights you on the ground to fight you on the internet.”
Evidence of an Iranian link is outlined in a 56-page report by Citizen Lab, based at the Munk School of Global Affairs at the University of Toronto. The group has made a specialty of tracking the hackers who’ve dogged Syria’s opposition, which lead author John Scott-Railton said had turned into “something of a petri dish for threat actors in the Middle East.”
The report says those behind the “Assadcrimes” website appear to have inadvertently exposed their site’s logs, showing evidence that its creators accessed it in part from the Iranian internet space. A string of data recovered from the malicious code used to target Al-Ameer appeared to refer to a developer who runs a malicious software site registered in the Iranian city of Shiraz.
The evidence isn’t conclusive but it “lets us think that we’re perhaps looking at a group that’s operating from Iran,” Scott-Railton said. He cautioned that it wasn’t possible to say much about the group’s potential sponsorship — government or otherwise.
An outside expert who evaluated Citizen Lab’s report endorsed its work.
The botched cyberespionage attempt “is consistent with Iranian activity we’ve previous observed, in terms of operational security, social engineering, and technical sophistication,” said John Hultquist, a threat intelligence manager at network security company FireEye Inc., based in Milpitas, California.
The hackers in Al-Ameer’s case appear to have made some mistakes. But Scott-Railton said those who target Syria’s scattered opposition activists are only as sophisticated as they need to be. Many groups operating in the area, including the pro-Assad Syrian Electronic Army, have used very simple tools and persistent trickery to repeatedly compromise savvier targets.
Al-Ameer said that, in a way, the hacking was scarier than when she says she was arrested and tortured at the hands of Assad’s security forces.
“When they arrested me, I was careful just to tell them what I wanted,” she said. “When they hack you, they will know everything without harming you physically. For our case, it’s more dangerous than arresting.
“Inside Syria or outside Syria, we’re not safe.”
The Washington Post