Chapter I Backgrounds

1. Syrian Regime

Syria , officially the Syrian Arab Republic, is a country in Western Asia, bordering the Mediterranean Sea to the west, Turkey to the north, Iraq to the east, Jordan to the south, Lebanon and Palestine to the southwest, and Cyprus to its east across the Mediterranean Sea. The country's total area is 185,180 square kilometers, including the Golan Heights.

Syria is one of the world's oldest civilizations. It has been ruled by big powers such as the Roman Empire, the Arab Empire and the Ottoman Empire. Before becoming the territory of the Roman Empire, it witnessed the historical changes of the empire of the Phoenician, Hittite, Mittany, Assyria, Babylon, Ancient Egypt, Persian Empire, Macedonian Empire and the subsequent Serb Empire.

Before the year 633, Syria was the birthplace and dissemination center of Christianity; As the Arab Empire expended in the Middle East, from the 7th to the early 16th century, Syria has been one of the centers of Islamic communication, and later became part of the the Fatima Dynasty, the Ayubids dynasty and the Mamluks dynasty. Mongolia defeated the Ayubids dynasty in its third expedition to the West, and the Iraqi Khanate was defeated by the Mamluks dynasty in Damascus. Mongolian forces withdrew from Syria and Syria was ruled by Egypt; Because of the expansion of Ottoman and the Crusade's eastward, then Ottoman Turkey defeated the Mamluks dynasty, Syria became part of the Ottoman Empire in 1516; France invaded it in the 18th century and occupied it as a protected place; after the First World War, it was ruled by France.

It gained de jure independence as a parliamentary republic on 24 October 1945, when Republic of Syria became a founding member of the United Nations, an act which legally ended the former French Mandate – although French troops did not leave the country until April 1946. The post-independence period was tumultuous, with many military coups and coup attempts shaking the country from 1949 to 1971.

In 1958, Syria entered a brief union with Egypt called the United Arab Republic, which was terminated by the 1961 Syrian coup d'état. The republic was renamed into the Arab Republic of Syria in late 1961 and was increasingly unstable until the 1963 Ba'athist coup d'état, since which the Ba'ath Party has maintained its power. Syria was under Emergency Law from 1963 to 2011, effectively suspending most constitutional protections for citizens. Bashar al-Assad has been president since 2000 and was preceded by his father Hafez al-Assad who was in office from 1971 to 2000.

Since March 2011, Syria has been embroiled in an armed conflict, with a number of countries in the region and beyond involved militarily or otherwise. As a result, a number of self-proclaimed political entities have emerged on Syrian territory, including the Syrian opposition forces forces, Rojava, Tahrir al-Sham and Islamic State of Iraq and the Levant. Syria is ranked last on the Global Peace Index, making it the most violent country in the world due to the war.

2. Syrian Civil War

The unrest in Syria, part of a wider wave of the 2011 Arab Spring protests, grew out of discontent with the Syrian government and escalated to an armed conflict after protests calling for Assad's removal were violently suppressed. The war, which began on 15 March with major unrest in Damascus and Aleppo, is being fought by several factions from both domestic and abroad.

Syria’s anti-government demonstrations quickly spread to the country, and the conflict between demonstrators and security forces escalated. With the assistance of Western countries (especially the United States) and Sunni-promoting countries (represented by Turkey and Israel), the Syrian opposition forces, which demanded that Alawi’s President Bashar al-Assad to step down, grow rapidly and establish their own armed forces. The anti-government conflict eventually evolved into a civil war and has continued to this day.

There are two main representative political organizations of the opposition forces, the National Coalition for Syrian Revolutionary and Opposition Forces, and the Syrian Interim Government. The main armed group of the Syrian opposition forces is the Free Syrian Army. The Arab League and the Gulf Organization and the Organisation of Islamic Cooperation of 57 countries have expelled the membership of the Assad regime and recognized the Syrian opposition forces as a legitimate representative. On the other hand, religious Islamist armed groups, Islamic terrorist organizations including the Islamic State, and Kurdish armed groups seeking to get rid of foreign ruling also took the opportunity to rise in Syria. According to a report in December 2013, it is believed that as many as 1,000 Syrian anti-government armed groups exist. The armed conflicts between some anti-government armed groups from time to time have made the situation in Syria even more chaotic.

While the opposition armed forces received substantial foreign aid, Iran and Russia strongly supported the Syrian government, making the Syrian civil war a battle between Sunnis and Shiites, and between the United States and Russia.

The eight-year war has killed more than 570,000 people, caused 7.6 million internally displaced people and over 6 million refugees. Recently, the Syrian government armed forces have recovered a large number of lost grounds with the assistance of Russia. According to UN news reports, as of the beginning of August 2019, the Syrian civil war mainly occurred in the Idlib region. The graphics below shows the distribution of regions and cities and various forces targeted by Russian and its Syrian allies against the northwestern part of Idlib province on July 30, 2019.

Figure 1-1 Distribution of the Syrian forces as of July 30, 2019

3. Syrian Electronic Army

In April 2011, only days after anti-regime protests escalated in Syria, Syrian Electronic Army (SEA) emerged on Facebook to support the government’s Syrian President Bashar al-Assad. In May 5, 2011 the Syrian Computer Society registered SEA’s website (syrian-es.com). Because Syria's domain registration authority registered the hacker site, some security experts have written that the group was supervised by the Syrian state. SEA claimed on its webpage to be no official entity, but "a group of enthusiastic Syrian youths who could not stay passive towards the massive distortion of facts about the recent uprising in Syria". As soon as May 27, 2011 SEA had removed text that denied it was an official entity. On the new page, the description of "not an official entity" was removed, only says that it was established by a group of young Syrian enthusiasts to combat the use of the Internet, especially people that use of Facebook in Syria to "spread hatred" and "destroy peace".

The Syrian Electronic Army uses spam, website defacement, malware, phishing and denial of service attacks against political opposition groups, Western news agencies, human rights groups and seemingly neutral websites for Syrian conflicts. It also attacked government websites in the Middle East and Europe as well as US defense contractors. The Syrian Electronic Army is the first Arab organization to set up a public Internet army on its national network to openly launch cyber-attacks on its enemies.

4. Opposition Forces

The current active opposition organizations mainly include the Free Syrian Army, the Harakat Ahrar al-Sham al-Islamiyya, and the Hayʼat Tahrir al-Sham.

1) Free Syrian Army

The Free Syrian Army (FSA) is a loose faction in the Syrian Civil War founded on 29 July 2011 by officers of the Syrian Armed Forces whose stated goal was to bring down the government of Bashar al-Assad. The Free Syrian Army aims to be "the military wing of the Syrian people's opposition to the regime", and it aims to bring down the government by armed operations, encouraging army defections and by carrying out armed action. As the Syrian Army is highly organized and well-armed, the Free Syrian Army has adopted guerrilla-style tactics in the countryside and cities. The FSA's military strategy is focused on a dispersed countrywide guerrilla campaign with a tactical focus on armed action in the capital of Damascus. The campaign was not meant to hold territory, but rather, to spread government forces and their logistics chains thin in battles for urban centers, to cause attrition in the security forces, to degrade morale and to destabilize Damascus, the center of government.

The Free Syrian Army initially had only more than 1,000 members. It already had 70,000 members as of March 2012. In June 2013, there were 120,000 members (excluding the Islamic Army that was later divided) and it was one of the main opposition military forces.

In late 2011, it was considered the main Syrian military defectors group. It had success against vastly better armed government forces. From July 2012 onward, ill-discipline, infighting and lack of funding weakened the FSA, while Islamist groups became dominant within the armed opposition.

After the Turkish military intervention in Syria in 2016, an informal group of Turkish-backed Arabs and Turkmen was established under the name "Free Syrian Army", with on-ground support of an organised military backed by Turkish and British airpower. The group closely cooperates with Turkish troops in Syria.

2) Harakat Ahrar al-Sham al-Islamiyya

At the heart of the Shah Alam Islamic Movement (Harakat Ahrar al-Sham al-Islamiyya, often referred to as Ahrar al-Sham) is a group of al-Qaeda cadres who have been arrested and sentenced by the Syrian Baath Party regime. These people establishedteh group after being released by the Baath Party regime in March-May 2011, and they continued to sit in the north of Syria after 2012. Since then, the organization has long played the role of deputy ally in the Islamic opposition front and the conquest army. It has accumulated strength in a more moderate position and has received greater support from Turkey.

In December 2016, the movement followed the orders of Turkey, retreating from Aleppo, preserving its strength, and thus disagreeing with the Nunnery Front of the ruling coalition. In January 2017, the movement completely reversed the Al-Nusra front by supporting the peace talks between the opposition and the regime. The two sides fought in Idlib. During this period, many leaders and subordinate organizations of the movement defected to the Sum Liberation Organization, which was reorganized by the Al-Nusra Front, but the movement also included a large number of small and sectarian groups defeated by the Sham Liberation Organization, so the strength is not reduced, so as to expand to nearly 30,000 people. As a result, the organization became the leader of the opposition forces alliance that advocates peace, and was able to establish a new coalition in the Idlib province to fight against the Sham Liberation Organization.

This new confederate coalition includes the Ahrar al-Sham and the Shah Army sectarian organization of the Brotherhood Emblem, which also includes a number of former free military factions, such as the Army of Glory, and the Elite Army (Jaish al-Tahrir, jurisdicting the 46th Division of the Free Army, the 312th Division and the 9th Brigade, etc.), the 13th Division of the Free Army, the 16th Division, the 30th Division, the 101st Division, and Turkmen troops, etc.

This confederate opposition coalition is currently entrenched in the vast territory of the provinces of Idlib and Aleppo, mainly confronting the Sham Liberation Organization. In addition, most of the sectarian groups on the outskirts of Homs and Damascus are more or less intimate with the coalition. The overall goal of the coalition forces is to compete with the regime for the dominance of the future political reconciliation process. The minimum goal is to establish the special status of Islam in Syria and turn Syria into a country that implements the Sharia law.

3) Hayʼat Tahrir al-Sham

The Haysat Tahrir al-Sham (HTS) was reorganized by the al-Nusra Front to absorb other war parties against opposition organizations. It is characterized by close ties with Al Qaeda and can be an be regarded as the Syrian branch of Al Qaeda which is called Hetesh.by its opponents.

Despite being hostile to the United States and bombarded by the United States for the so-called Khorasan Group, the Al-Nusra Front also incorporates the majority of factions of the Islamic Front (especially the Sharm Freedom Islamic Movement), the Shamu Legion, and other members of the Muslim Brotherhood and a part of the Freedom faction in the North through the United Front of the Conquest Army (Jaish al-Fatah), the Joint Operation Command of Maraia, and the Fatah Halab, forming a confederate opposition coalition with internal disagreements but relatively uniform to external.

The Freedom Army faction was included in its own shackles, forming a confederate opposition coalition that has internal differences but is more consistent. It has also received support from Turkey, the Gulf States and Israel. It has also received support from Turkey, the Gulf States and Israel. However, after being betrayed by Turkey, the sectarian coalition forces lost Aleppo. This rapidly led to its internal division. The peace party headed by the Ahmad al-Sham publicly split from the group with the support from Turkey, denying the leadership of the Al-Nusra Front. They established their own administration in Idlib which sent people to Astana to participate in the dialogue between the opposition and the regime. This caused great dissatisfaction with the Al-Nusra Front, which was excluded from the peace talks by the powers, and the civil war broke out between the two sides.

In January 2017, after the civil war broke out in Idlib between the party headed by the Al-Nusra Front and the peace party headed by the Shame Freedom Islamic Movement, the Al-Nusra announced that it would be reorganized into the Slam Liberation Organization on January 28th, in order to unite the forces. At present, the organization controls a large territory of Idlib, including the middle of Idlib, reaching as far as the southern part of the city of Maialai Anuman, and controls the entire northwestern part of Idlib province during the civil war, the area centered on the strategically important area of Gischugur, the western part of Aleppo and the northern part of Hama. After a series of military victories, the Haysat Tahrir al-Sham has expanded from more than 10,000 people in the Al-Nusra period to 20,000 - 30,000 people, fighting strength growing far stronger than the peace party. The organization also received full support from war parties like the Turkistan Islamic Party that were also excluded from the peace talks. However, due to the lack of support from foreign countries, the Haysat Tahrir al-Sham cannot completely eliminate the peace parties in Idlib province. At the same time, because of the control of the front line of war with the regime, it was in a state of being surrounded by enemies from all sides.

The main goal of the SLA is to annex other sectarian organizations to regain the support of Turkey, Saudi Arabia and other countries, forcing the powers to recognize them as warring groups, thus eliminating the hat of terrorist organizations and joining the future political process of Syria. In February 2017, the Slam Liberation Organization was forced to expel the Al-Aqsa (Jund al-Aqsa), which was internally colluding with the Islamic State, from the province of Idlib to reach a truce with the peace party. In order to carry out its own main battle stance and regain the support of Turkey and other countries, the SLM liberated launched an offensive against Hama in March. This war has received support from Turkey in terms of manpower and material resources. It can be seen that the Haysat Tahrir al-Sham has its existence value for Turkey.

5. Other Forces

1) Syrian Democratic Forces

The Syrian Democratic Forces, commonly abbreviated to SDF, HSD, and QSD, is an alliance in the Syrian Civil War composed primarily of Kurdish, Arab, and Assyrian/Syriac militias, as well as some smaller Armenian, Turkmen and Chechen forces. The SDF is militarily led by the People's Protection Units (YPG), a mostly Kurdish militia. Founded in October 2015, the SDF states its mission as fighting to create a secular, democratic and decentralized Syria.

The establishment of the SDF was announced during a press conference in al-Hasakah. The alliance built on longstanding previous cooperation between the founding partners. While the People's Protection Units (Yekîneyên Parastina Gel, YPG) and the Women's Protection Units (Yekîneyên Parastina Jin, YPJ) had been operating throughout the regions of the Autonomous Administration of North and East Syria, the other founding partners were more geographically focused.

Geographically focused on the Jazira Region were the Assyrian Syriac Military Council (Mawtbo Fulhoyo Suryoyo, MFS) and the al-Sanadid Forces of the Arab Shammar tribe, both of whom had cooperated with the YPG in fighting ISIL since 2013. The MFS is further politically aligned with the YPG via their shared secular ideology of democratic confederalism, which in the Assyrian community is known as the Dawronoye movement. Geographically focused on the Manbij Region was the Army of Revolutionaries (Jaysh al-Thuwar, JAT), itself an alliance of several groups of diverse ethnic and political backgrounds, who had in common that they had been rejected by the mainstream Syrian opposition forces for secular, anti-Islamist views and affiliations. However, most of the JAT component groups have always used the Free Syrian Army label and continue to use it.

The Arab group, which has about 4,000 troops in the league, will operate under the organization of the Syrian Arab coalition forces to attack Raqqah, the capital of the Islamic State, east of the Euphrates River. The remaining rebel forces trained by the US Department of Defense will be tasked with "guiding air strikes against the Islamic State and recruiting more moderate resistance.

Unlike other Syrian non-government armed forces, the Syrian Democratic Army avoids confrontation with the Syrian government forces as much as possible. The Syrian Democratic Army’s main rival is the Islamic State. The Syrian Kurdish people say that they are pursuing self-government under decentralization, instead of establishing the country independently. Syrian Foreign Minister Moran responded that the Syrian government remains open to Kurdish autonomy, but only if the Islamic State is eliminated first, and then the two sides can begin negotiations on autonomy. As of March 2019, an estimated 11,000 Syrian Democratic Forces fighters died in a war with the Islamic State.

2) The Islamic State

The Islamic State (IS), formerly known as the "Islamic State of Iraq and al-Sham" (ISIS), is a Sarafi jihadist organization active in Iraq and Syria and has not been a widely recognized political entity in the world. It pursues the ultra-conservative Islamic fundamentalist Wahhabi faction, which is a vein of Sunnizon. The leader of the organization, Baghdadi, is self-proclaimed as the Caliphate, and the country is called the “Islamic State”, claiming that he dominates the entire Muslim world (including the whole Middle East, eastern Africa, central, northern, eastern Black Sea, South, West, Central and Western Asia, Europe, Iberia peninsula and the Balkan Peninsula, almost all of India, and northwestern China). The surrounding Arab countries refer to it as “DAESH” in Arabic abbreviations which is homophonic with the Arabic “stepping on” to show their disrespect and contempt for the name “Islamic State”. Chinese Mainland media sometimes refer to this organization directly as an “extreme organization” or ISIS.

In addition to members from Iraq and Syria, the organization has attracted more than 12,000 jihadists from 81 countries around the world. They entered Syria and Iraq mainly through the Turkish border.

A training camp dedicated to jihadists is located near the Insrik Air Force Base in Adana Province in Turkey. Thousands of jihadists have completed training and entered Syria and Iraq to assist the “Islamic State” in establishing the “Islamic State”.

On October 2, 2014, US Vice President Joe Biden accused Turkey of funding the "Islamic State." Turkey denied the accusation and asked Joe Biden to apologize. In fact, it is no secret that Turkey wants to use the "Islamic State" to deal with the Kurdish armed forces and the Assad government. In early 2012 or earlier, the CIA set up a training camp in Jordan to provide military training for the Syrian opposition forces. Many Syrian opposition forces members who completed the training were attracted by the concept of “Islamic State” and joined the organization. In June 2014, the United States provided humanitarian assistance to refugees occupied area of the “Islamic State” in the Syria.

After 2017, with the military intervention of Russia’s civil war in Syria and the pan-Shia forces of Iran’s representatives, the "Islamic State" was smashed and the two major cities of Mosul and Raka were successively captured. The territory of ISIS is almost eliminated.

On March 23, 2019, the last stronghold of the "Islamic State" was liberated by the Syrian Democratic Forces and announced that the "Islamic State" organization was completely disintegrated and officially destroyed; but the whereabouts of the former "Islamic State" leader Baghdadi is still a mystery.

On April 21, 2019, there were eight bombings in Sri Lanka, distributed in the capital Colombo, nearby Negombo and East Batticaloa, involving three churches and four hotels. On the 23rd, the "Islamic State" claimed responsibility for the bombings.

On April 29, 2019, Baghdadi, the leader of the "Islamic State", who had been on the verge of mystery, made his first public appearance after the demise of the "Islamic State" organization.

On May 11, 2019, the “Islamic State” propaganda agency “Amaq News Agency” declared a “Indian Province” the new province of Wilayah of Hind in India after a clash with militants in the Kashmir area.

Chapter II Attacks of the Syrian Electronic Army

The Syrian Electronic Army was the first Arab organization to set up a public Internet army on its national network to openly launch cyber-attacks on its enemies. The early attacks were mainly aimed at social account theft and website breach. However, after 2014, reports on the Syrian Electronic Army attack have almost disappeared . In 2018, the 360 ATA team discovered that the Syrian Electronic Army had used the Android and PC malicious samples to conduct long-term, targeted attacks against the Syrian region since November 2014. This indicates that the Syrian Electronic Army has gradually transformed from the early destruction of media websites and social accounts into a sustainable monitoring activity against specific targets.

1. Attacks in earlier stage

2011

July 2011: University of California Los Angeles website defaced by SEA hacker "The Pro".

September 2011: Harvard University website defaced in what was called the work of a "sophisticated group or individual". The Harvard homepage was replaced with an image of Syrian president Bashar al-Assad with the message "Syrian Electronic Army Were Here".

2012

April 2012: The official blog of social media website LinkedIn was redirected to a site supporting Bashar al-Assad.

August 2012: The Twitter account of the Reuters news agency sent 22 tweets with false information on the conflict in Syria. The Reuters news website was compromised, and posted a false report about the conflict to a journalist's blog.

2013

20 April 2013 The Team Gamerfood homepage was defaced.

23 April 2013: The Associated Press Twitter account falsely claimed the White House had been bombed and President Barack Obama injured. This led to a US$136.5 billion dip on the S&P 500 index the same day.

May 2013: The Twitter account of The Onion was compromised by phishing Google Apps accounts of The Onion's employees.

24 May 2013: The ITV News London Twitter account was hacked.

On 26 May 2013 the Android applications of British Broadcaster Sky News were hacked on Google Play Store.

17 July 2013, TrueCaller servers were hacked into by the Syrian Electronic Army. The group claimed on its Twitter handle to have recovered 459 GiBs of database, primarily due to an older version of WordPress installed on the servers. The hackers released TrueCaller's alleged database host ID, username, and password via another tweet. On

18 July 2013, TrueCaller confirmed on its blog that only their website was hacked, but claimed that the attack did not disclose any passwords or credit card information.

23 July 2013: Viber servers were hacked, the support website replaced with a message and a supposed screenshot of data that was obtained during the intrusion.

15 August 2013: Advertising service Outbrain suffered a spearphishing attack and SEA placed redirects into the websites of The Washington Post, Time, and CNN.

27 August 2013: NYTimes.com had its DNS redirected to a page that displayed the message "Hacked by SEA" and Twitter's domain registrar was changed.

28 August 2013: Twitter's DNS registration showed the SEA as its Admin and Tech contacts, and some users reported that the site's Cascading Style Sheets (CSS) had been compromised.

29–30 August 2013: The New York Times, The Huffington Post, and Twitter were knocked down by the SEA. A person claiming to speak for the group stepped forward to tie these attacks to the increasing likelihood of U.S military action in response to al-Assad using chemical weapons. A self-described operative of the SEA told ABC News in an e-mail exchange: "When we hacked media we do not destroy the site but only publish on it if possible, or publish an article [that] contains the truth of what is happening in Syria. ... So if the USA launch attack on Syria we may use methods of causing harm, both for the U.S. economy or other."

2–3 September 2013: Pro-Syria hackers broke into the Internet recruiting site for the US Marine Corps, posting a message that urged US soldiers to refuse orders if Washington decides to launch a strike against the Syrian government. The site, www.marines.com, was paralyzed for several hours and redirected to a seven-sentence message "delivered by SEA".

30 September 2013: The Global Post's official Twitter account and website were hacked. SEA posted through their Twitter account, "Think twice before you publish untrusted informations about Syrian Electronic Army" and "This time we hacked your website and your Twitter account, the next time you will start searching for new job"

28 October 2013: By gaining access to the Gmail account of an Organizing for Action staffer, the SEA altered shortened URLs on President Obama's Facebook and Twitter accounts to point to a 24-minute propaganda video on YouTube.

9 November 2013: SEA hacked the website of VICE, a no-affiliate news/documentary/blog website, which has filmed numerous times in Syria with the side of the Rebel forces. Logging into vice.com redirected to what appeared to be the SEA homepage.

12 November 2013: SEA hacked the Facebook page of Matthew VanDyke, a Libyan Civil War veteran and pro-rebel news reporter.

2014

1 January 2014: SEA hacked Skype's Facebook, Twitter and blog, posting an SEA related picture and telling users not to use Microsoft's e-mail service Outlook.com —formerly known as Hotmail—claiming that Microsoft sells user information to the government.

11 January 2014: SEA hacked the Xbox Support Twitter pages and directed tweets to the group's website.

22 January 2014: SEA hacked the official Microsoft Office Blog, posting several images and tweeted about the attack.

23 January 2014: CNN's HURACAN CAMPEÓN 2014 official Twitter account showed two messages, including a photo of the Syrian Flag composed of binary code. CNN removed the Tweets within 10 minutes.

3 February 2014: SEA hacked the websites of eBay and PayPal UK. One source reported the hackers said it was just for show and that they took no data.

6 February 2014: SEA hacked the DNS of Facebook. Sources said the registrant contact details were restored and Facebook confirmed that no traffic to the website was hijacked, and that no users of the social network were affected.

14 February 2014: SEA hacked the Forbes website and their Twitter accounts.

26 April 2014: SEA hacked the information security-related RSA Conference website.

18 June 2014: SEA hacked the websites of British newspapers The Sun (United Kingdom) and The Sunday Times.

22 June 2014: The Reuters website was hacked a second time and showed a SEA message condemning Reuters for publishing "false" articles about Syria. Hackers compromised the website corrupting ads served by Taboola.

27 November 2014: SEA hacked hundreds of sites through hijacking Gigya's comment system of prominent websites, displaying a message "You've been hacked by the Syrian Electronic Army(SEA)."

2015

21 January 2015: French newspaper Le Monde wrote that SEA hackers "managed to infiltrate our publishing tool before launching a denial of service".

2018

17 May 2018: Two suspects were indicted by the United States for "conspiracy" for hacking several US websites.

2. Cyber surveillance in later stage

From November 2014 to the end of 2017: The Syrian Electronic Army launched an organized, planned and targeted persistent attack on the Syrian region with malicious samples on Android and PC.

July 2018: The Syrian Electronic Army launched a new cross-platform Android Trojan attack on to Syria and its surrounding military agencies and governments.

December 2018: 360 CERT captures the latest Android sample of the Syrian Electronic Army's attack on the Syrian region.

March 2019: 360 Threat Intelligence Center discovered and analyzed the latest attack samples from the Syrian Electronic Army.

March 2019: 360 BeaconLab discovered the Syrian Electronic Army's attack against the Islamic State.  

Chapter III Cyber Survaillance Campaigns on Mobile Platforms of the Syrian Electronic Army

According to our findings, the SEA contained at least two different branches which are the Golden Rat Group and the Pat Bear Group, and conduct an organized, planned, and targeted long-term uninterrupted attack on the Syrian region.

1. Golden Rat Organization (APT-C-27)

1) Campaigns

Since November 2014, the Golden Rat Organization (APT-C-27) has launched an organized, planned and targeted long-term uninterrupted attack on the Syrian region. Targeted platforms has gradually expanded from Windows in the beginning to Android. In this attack, the malicious samples were mainly disguised as chatting software and some common software in specific fields. They were infiltrated by watering hole attacks assisted with social engineering methods to target specific groups. Based on the author information of the PDB of the PC samples, the Golden Rat was finally attributed to be a branch of the Syrian Electronic Army.

Figure 3-1 Timeline of key events related to the Golden Rat

a) Payload delivery

Android spyware mainly disguised as "System Package Update", "Telegram Update", "ChatSecure Ultimate 2017", "Ms Office Update 2017", "WordActivation", "تسريع_نت_مجاني" and other software. This series of software are generally update programs of chatting software and are used to seduce the targets to download and install through misleading URL on download websites.

Figure 3-2 Phishing site

b) Sample analysis

The Android attack uses two RATs, one of which is the open-sourced AndroRat, which is used in early attacks; the other is the customized SilverHawk , which is used in later attacks and has been updated multiple times.

The main features of the Android sample used in this attack are as follows:

• Record audio
• Take photos with device camera
• Heartbeat
• Retrieve files from external storage
• Copy, move, rename and delete files
• Download the file specified by the attacker
• Install applications, including date and time of installation
• Try to execute the command or binary specified by the attacker under root privileges
• Retrieve contacts
• SMS
• Call records
• Equipment position, direction and acceleration
• Remotely updated C2 IP and port
• Hidden icon
• Device Information

The code structure of the sample’s core function is shown in the figure below.

Figure 3-3 Code structure of the sample’ core function

2) Cross-platform Attacks

In July 2018, we found for the first time that the new version of its mobile sample can lead to cross-platform attack against PC targets .

a) Payload delivery A total of two similarly named phishing websites and download addresses containing attack samples were found. The sample "hmzvbs" of the PC-side RAT was directly embedded in the new version of the mobile sample.

Figure 3-4 Phishing Site

b) Sample analysis

Through analysis and comparison, we found that the new version of the mobile sample, in addition to retaining the original mobile RAT function, this sample added a new way of attack by introducing mobile storage media to induce victims, being the first cross-platform attack from the mobile end to the PC end. The details of the attack are as follows:

• Step 1: the mobile attack sample carries RAT in PE format names file "hmzvbs" specifically targeting PC.

Figure 3-5 Attack files embed with PE RAT

• Step 2: After the mobile phone attack sample runs, it immediately release the RAT "hmzvbs" for the PC to the specified image directory in the external storage device of the mobile device for special name masquerading. This masquerading implements special preparations before the attack. The masquerade has two characteristics: the attack file name is disguised as a common picture-related directory name; the attack file has the extension ".PIF" (the extension represents the shortcuts of MS-DOS program which means that they can be run directly on PC.

• Step 3: Users usually use PC to browse the photos in the mobile phone from time to time. By taking advantage of this, when the targets that have been attacked on the mobile terminal use PC to browse the photos, they will be induced to click the disguised “picture directory”, which is difficult for ordinary users to identify and discover, see Figure 3.6. Once the PE attack file is running, the PC device will be compromised by the RAT.

Figure 3-6 Comparison between normal directory and disguised files

In addition, the mobile RAT attack sample and the RAT attack against the PC included in the mobile phone attack sample have not changed much in function, and are basically consistent with the previous functions.

3) Reversing and Co-relation

a) Special file names

Sample’s MD5	File name
a4e6c15984a86f2a102ad67fa870a844	حمص تلبيسة قصف بالهاون.scr
3f00799368f029c38cea4a1a56389ab7	صفقة جيش الاسلام مع النظام المتضمنة تبادل 75 اسير للنظام من عدرا العمالية مقابل 15 معتقل لجيش الاسلام image.vbs
ea79617ba045e118ca26a0e39683700d	وثيقة رقم 1 العميد مناف طلاس يترأس هيئة الاركان العليا.vbs

Table 3-1 PC samples

The above table are the file names of part of the attack samples:

File name "حمص تلبيسة قصف بالهاون" literally means "Blasting Holmes", and Holmes is a city in Syria. This file name may indicate an attack targeting Syria.

File name "صفقة جيش الاسلام مع النظام المتضمنة تبادل 75 اسير للنظام من عدرا العمالية مقابل 15 معتقل لجيش الاسلام" is about the exchange of prisoners;

File name "وثيقة رقم 1 العميد مناف طلاس يترأس هيئة الاركان العليا" is information about Manaf Tlass, the son of the former Syrian Defense Minister Manav Tallas.

Therefore, it can be seen from these file names that the attacker is also very particular about the naming of the bait documents. We speculate that the attack is aimed at the Syrian region and surrounding areas. Such file names are easy to entice specific people to click.

b) The author

The file 1.docx is found in the attacker's back-end system under the http://chatsecurelite.us.to/wp-content/uploads/2016/12/ directory, as shown below.

Figure 3-7 Location of the file

By checking the property of 1.docx, we found the author’s information: Raddex.

Figure 3-8 File properties

Further correlation analysis found that the PC-side samples were also found using the Raddex in its naming. The sample C&C was 31.9.48.183. This is consistent with the attacker IP information published by the Syrian news network in Hama. Therefore, it is inferred that Raddex is a user name belongs to the attackers.

Sample MD5	File name
bdaaf37d1982a7221733c4cae17eccf8	SystemUI.exe

Table 3-2 PC sample file name

Figure 3-9 Information published by the Syrian news network in Hama

c) IP address

Figures 3.10 and 3.11 are the relevant information of IP 31.9.48.183 and 82.137.255.56, respectively. These two IPs are owned by the attacker and locates in Damascus, Syria.

Figure 3-10 IP 31.9.48.183

Figure 3-11 IP 82.137.255.56

d) PDB path

Sample MD5	PDB path
871e4e5036c7909d6fd9f23285ff39b5	aboomar3laqat.pdb
11b61b531a7bbc7668d7d346e4a17d5e	C:\Users\Th3ProSyria\Desktop\cleanPROs\cleanPROs\obj\Debug\NJ.pdb

Table 3-3 PDB path of PC samples

In the PE files discovered by IP association and other ways, the PDB path reveals relevant user information, such as "Th3ProSyria", "aboomar", "abo moaaz", these names often appear in the Arabic region while the official Syrian The language is Arabic.

Further relevance of the names in the pdb path led to a reward notice (Figure 3.12) issued on the FBI website for Ahmed Al Agha who was wanted for participating in the Syrian Electronic Army. His commonly used nickname is exactly “Th3 Pr0” and “The Pro".

Figure 3-12 Reward notice published by the FBI for Ahmed Al Agha

Based on the information, we can confirm that the participants in the attack are Syrian Electronic Army personnel, so we have attributed the Golden Rat (APT-C-27) as a branch of the Syrian Electronic Army.

2. Pat Bear Organization (APT-C-37)

1) Attacks Against the “Islamic State”

Since October 2015, the Pat Bear Organization (APT-C-37) has launched an well-organized, targeted and persistent attack against the “Islamic State”. Watering hole was used to delivery sample in this attack. The malicious samples were mainly disguised as chat software and some common software in specific fields. This Trojan has many functions such as stealing messages, contacts, WhatsApp and Telegram data, and uploading files using FTP. After reversing and correlation, we found that there is a strong correlation between the Pat Bear Organization and the Golden Rat tissue, so this attack activity belongs to another branch of the Syrian Electronic Army.

Figure 3-13 Key time points related to Pat Bear attacks

a) Payload delivery

The Al Swarm news site (see Figure 3.14) is a media website belonging to the “Islamic State”, so it has suffered various attacks from all over the world. It has changed several domain names and the website is currently offline. In addition to the watering hole attack on the Amaq media website mentioned above, we found that Al Swarm was also used by the attackers for watering hole attacks, so we speculated that the target was "Islamic State."

Figure 3-14 Al Swarm

b) Sample analysis

There are three RATs used in the Android side attacks. Two of them (DroidJack and SpyNote) are more frequently used commercial RATs. They have been spread on multiple hacking forums and have been detected and exposed by many security companies. We suspect that another RAT is specially developed for this attack according to the special character "runmylove" contained in the RAT, combined with the fact that it is the first RAT that was discovered using SqlServer to implement instruction interaction; hence, we named it SSLove, It only appears in this attack and has been updated in several versions.

The main features of the Android sample used in the attack are as follows:

• Browse, transfer, delete, upload files
• Receive and view SMS
• Make phone calls
• Contact management
• Microphone monitor
• GPS location
• APP management
• Command line control
• Get WhatsApp chat history
• Get call history
• Get device information
• Get account information
• Take photos

c) Co-relations and differences with Golden Rat

Through the analysis of this Pat Bear attack activity, combined with the previous analysis of the Golden Rat Organization, we found that the two organizations have strong correlations in the following aspects except for the target and their own exclusive RAT. We attribute this attack to another branch of the Syrian Electronic Army.

• Are familiar with Arabic and have been using watering hole attacks for Android and Windows platforms for several years.
• Both use multiple RATs, most of which are used by both parties.
• Both organizations used C&C (82.137.255.*) on the same network segment during different time periods.

2) Attacks Against Syrian Opposition Forces

In June 2019, the Pat Bear Organization (APT-C-37) launched an organized and planned cyber espionage attack against the Syrian opposition forces groups. In this attack, SSLove RAT was inserted into the chat application WhatsApp as an attack vector.

a). Sample Analysis

The sample used in this attack was disguised as the instant messaging software “WhatsApp” as shown in Table 3.4. According to the modification time of the sample (Figure 3.15), it can be found that the attack started at least from the end of June 2019.

Sample MD5	File names
85e397114c401b0671ff74e7177cc361	WhatsApp

Table 3-4 Samples

Figure 3-15 Modification time of the samples

The main features of the Android sample in this attack are as follows:

• Get contact
• Get SMS
• Get location
• Get WhatsApp chathistory
• Get call history
• Get file list
• Upload file
• Get device information
• Get account information
• Take a photo

In the process of stealing privacy, SSlove RAT uses a remote SQL Server database to store stolen information such as contacts, text messages, location, WhatsApp chat records, and uploads images, audios, and other files to its FTP server.

Figure 3-16 Connecting to a remote SQL Server database

Figure 3-17 Connecting to an FTP server

a). Analysis on the leaked data Through the analysis of the FTP server, from late July to early September 2019, the Syrian Electronic Army leaked nearly 3GB of data, including private information such as pictures, audio, documents, contacts, text messages, call records, etc. . After further analysis of the data, it was found that the number of victims reached to at least 132, and mainly distributed in the free Syrian Army and the Slam Liberation Organization.

Figure 3-18 Leaked data

Free Syrian Army

In the leaked private data, one of the titles of the Excel table points to the branch of the National Front for Liberation . Its latest modification date is June 22, 2019, and the contents contain some personnel information.

Figure 3-19 National Front for Liberation name list and the file properties

Another Excel sheet points to the 133 Brigade of the 13th Division of the First Legion of the Free Syrian Army. The final date of modification is July 14, 2019, which records the command offices, headquarters, camps, waypoint numbers and waypoint images of some towns. .

Figure 3-20

Waypoint of the 133 Brigade of the 13th Division of the First Legion and the file properties The following sections contain information of the Army of Glory split form the Free Syrian Army and the National Front for Liberation affiliated to the Free Syrian Army in Idlib (northwest of Syria) and the northern province Hama.

Figure 3-21 Information about the Army of Glory

Figure3-22 Information about National Front of Liberation

The following picture shows the unmanned aircraft captured by the Free Syrian Army.

Figure 3-23

The picture below shows the Martyrs Announcement and related personnel changes of Army of Glory:

Figure 3-24

Figure 3-25 Transfer application from the 1st Legion of the Free Syrian Army

The above leaked information indicates that the targets being monitored include Free Syrian Army personnel in the opposition groups.

Haysat Tahrir al-Sham

In other pictures, we found documents, bills and handwritten documents with the flags and badges of the Haysat Tahrir al-Sham. The picture below is an announcement document with the badge of the Haysat Tahrir al-Sham.

Figure 3-26 File related to Haysat Tahrir al-Sham

Figure 3-27 Internal announcement of the Haysat Tahrir al-Sham

Images below show the bills with the badges of Haysat Tahrir al-Sham:

Figure 3-28 Bills of Haysat Tahrir al-Sham

Written documents with the icons of Haysat Tahrir al-Sham:

Figure 3-29

Images of the battlefiled

Some leaked images contain maps with latitude and longitude, which point to battle areas between the Syrian opposition forces and government forces in the vicinity of Idlib. Judging from the pixels of the pictures, we guessed that the pictures were taken by unmanned aircraft.

Figure 3-30 Picture on the left is the leaked image, the coordinates match with that on the Google map

The coordinates of the map below are the Basile Assad International Airport, which is located in the small town of Hemeting, more than 20 kilometers from the Mediterranean city of Latakia,. It is known as the Latakia Air Force Base, or the Hemingen Air Force Base and is the Russian Air Force Base in Latakia.

Figure 3-31 Picture on the left is the leaked image, the coordinates match with that on the Google map

Figure 3-32 Pictures took by the unmanned aircraft in the reconnaissance

Figure 3-33 The ruins after the war

Photos with ID card in the hand

A large number of photos with ID cards in hand were found in the leaked data, and we suspected they belong to Syrian opposition soldiers.

Figure 3-34  

Chapter IV Summary of the Technical Features of Syrian Electronic Army

Through the analysis of the entire attack of the Syrian Electronic Army, it can be found that its early attacks methods are mainly through defacing websites. The later attacks are aimed at obtaining battlefield intelligence from the opposition forces. In terms of payload delivery, it is good at using watering hole attacks and using social software as an attack vector. The cyber weapons used in the earlier stage are open source RATs while commercial RATs and customized RATs are being used in the middle and late stages.

1. Payload Delivery

In the attack against mobile platforms by the Syrian Electronic Army, three types of intrusion methods were used: compromising websites, taking advantage of social networks and using phishing websites.

1) Compromise website

Attackers usually compromise a website and implant malicious code. When the target visits the site, he may trigger a vulnerability by clicking some disguised malicious code. In the attack on the Pat Bear, we found that Al Swarm News Agency website was also used by the organization for watering hole attacks. The site (see Figure 4.1) is a media website belonging to the “Islamic State”, which is currently offline.

Figure 4-1 Al Swarm

2) Social media

Attackers also use social networks to spread false information and trick people into downloading malicious files and executing them. In the attacking activity of the Pat Bear, the attackers use Facebook to spread the malicious program, and even put the message with the watering hole link to the top to better achieve the spoofing effect. The screenshot below is a screenshot of an attacker's inducing a user to click on a watering hole link on Facebook which leads to the malicious payload.

Figure 4-2 Spread malicious link on Facebook

3) Phishing site

The phishing website is built by attacker to induces users to this website and download malicious programs.

We found that the SEA’s phishing website has hardly changed from 2016 to 2019 which always disguised as the official website of CamSecure. The website claims to encrypt all messages on mobile devices, supports all known chat programs and can make the sender and receiver locations not visible to others.

Figure 4-3 Phishing site

4) Disguise method

By classifying Android malware camouflage objects used by the Syrian Electronic Army, you can find that the main camouflage objects are instant messaging applications, religion-related applications, and tools applications. The icons are shown below.

Figure 4-4 Icons of the disguised objects

Among them, instant messaging software is mainly disguised as Telegram and WhatsApp. The main reason is that the messages and media in the Telegram are encrypted when they are stored on their servers, and the client and server communication is also encrypted. The service provides end-to-end encryption for audio calls between two online users, as well as optional end-to-end encrypted "secret" chat for better security. According to a research report on terrorist communication methods issued by foreign security companies in 2016, 34% of terrorists use Telegram to communicate. In addition, WhatsApp has become the main means of communication in many countries abroad. According to statistics, as of February 2018, WhatsApp has more than 1.5 billion users and is one of the most popular social chat tools in many countries.

It is precisely because of the security of Telegram and the popularity of WhatsApp that, in the Syrian Electronic Army's attack against the oppositions, malicious programs mainly use Telegram and WhatsApp for camouflage.

2. Attack Arsenal

The Syrian Electronics Army uses a variety of Android RATs on the mobile side, including the open source RAT AndroRat , the commercial RAT DroidJack , SpyNote and the undisclosed customised RAT SilverHawk, SSLove.

1) Open-source RAT

Androrat is an open source remote management tool developed by a team of four for a university project. Open source code was upload to the GitHub website in 2012. It is a remote management tool that allows remote control of mobile devices using a computer.

Figure 4-5 Androrat open-sourced code

AndroRa’s remote control functions:

• Get complete contact information
• Get all call history
• Monitoring message board
• Find location via GPS / network
• Monitor received messages in real time
• Monitor phone status in real time
• Take photos
• Playing audio of the media
• Shoot video
• Pop up a Toast message
• send messages
• make calls
• Open the URL in your default browser
• Check installed apps
• Vibrate mobile phone

Interface of the Androrat management tool

Figure 4-6 Interface of the Androrat management tool

2) Commercial RAT

a) DroidJack

Droidjack is an extremely popular commercial RAT. It is powerful and has convenient management tools. It also has its own official website and the current price is $210.

Figure 4-7 Price of DroidJack on its website

Droidjack remote control functions:

• Can generate an APK, bound to any APP on the controlled phone
• Control the phone on the computer, including browsing, transferring, deleting files, etc.
• SMS messaging and viewing functions are available
• Can control the phone function of the phone
• Contact management
• Microphone monitor
• GPS positioning
• APP management

The interface of the Droidjack management tool is as below:

Figure 4-8 Droidjack management tool

b) SpyNote

SpyNote is similar to Droidjack and is also a commercial RAT. It is powerful and provides convenient management tools. At present, the price of different versions on the official websited is $499 and $4000 respectively.

Figure 4-9 SpyNote license fee

SpyNote remote control functions:

• Generate an APK, embedded any APP on the compromised phone
• Control the phone on PC, including browsing, transferring files, deleting files, etc.
• Receive and view SMS
• Control the call function of the phone
• Contact management
• Microphone monitor
• GPS locating
• APP management
• File management
• View the phone system
• Command line control

The interface of SpyNote management tool is as follows:

Figure 4-10 Interface of SpyNote management tool

3) Customized RAT

a) SilverHawk

SilverHawk is a RAT family customized by the Golden Rat Organization, which was first used in 2016 and has been updated several times. SilverHawk remote control functions:

• Record audio
• Take photos with device camera
• Heartbeat
• Retrieve files from external storage
• Copy, move, rename and delete files
• Download the file specified by the attacker
• Installed applications, including date and time of installation
• Try to execute the command or binary specified by the attacker with root privileges
• Retrieve contacts
• Call history
• SMS
• Equipment position, direction and acceleration
• Remotely updated C2 IP and port
• Hidden icon
• Device Information

The code structure of the SilverHawk:

Figure 4-11 SilverHawk code structure

b) SSLove

SSLove is a customized RAT that was first used in the attack on the “Islamic State” in 2017 and then used again in the monitoring of opposition activities, during which it was also updated several times. SSLove remote control functions:

• Get contacts
• Get message
• Get location
• Get WhatsApp chat history
• Get call history
• Get file list
• upload files
• Get device information
• Get account information
• Take photos

Function of the SSLove command

Figure 4-12 Function of the SSLove command  

Chapter V The Role and Influence of the Syrian Electronic Army

In the late stage attacks of the Syrian Electronic Army, the targets of the attacks are various opposition forces of the Syrian government, using cyber warfare to obtain battlefield intelligence. At the same time, the Syrian government forces simultaneously carried out real-world military strikes against the corresponding hostile forces.

Beginning from 2017, the watering hole attacks were conduct on the “Islamic State” Al Swarm News Agency website. On March 23rd in the same year, Syrian government forces joined Russia and Iran to attack the battlefields of Iraq and Syria. The two major cities, Mosul and Raka, which were occupied by the "Islamic State", were successively captured, and the tangible "Islamic State" territory was almost eliminated.

In February 2019, the last attack sample against the “Islamic State” was discovered. On March 23 of the same year, the "Islamic State" was liberated by the Syrian Democratic Forces in its final stronghold in Syria. The Islamic State was declared to be completely officially disintegrated and destroyed.

In July 2019, we discovered the cyber espionage of the Syrian Electronic Army against the opposition forces in the Idlib region. The province of Idlib, located in the northwestern part of Syria, is the last stronghold in the Syrian territory of the Syrian opposition armed forces and extremist group “Army of Conquest”. During the period from July to September of 2019, the government forces launched a number of military operations against the Idlib region, which attracted widespread attention internationally. According to our observations, the cyberattacks are still going on, and the government forces’ attacks against the opposition forces have never stopped.

The Syrian government has taken long-term cyber-attacks against different anti-government armed groups to obtain intelligence. The intelligence obtained through cyberattacks, combined with the use of force, has yielded effective results in the real battlefield, and the Syrian government has played its role in cyber warfare. At the same time, because the information obtained contains a large amount of information on anti-government armed personnel, it will also play a huge role in the future social stability after the reunification of Syria. The cyberattacks we have discovered may be just a small part of the iceberg. There may be more activities behind that we have not realized. The value of cyberattacks may be more important than we expected. We boldly speculate that the series of cyber-attacks of the Syrian government, in conjunction with real world strikes, can be a classic example of the importance of network activities.

Peace and development remain the main stream of today’s international situation, except for some strategic marginalized areas, controversial or sensitive areas. The war may not break out again in the real physical world. But in the new era, the importance of cyber warfare is more prominent. Strictly speaking, the war has never been far away, but in different forms. With the rapid development of the Internet and the Internet of Things, the characteristics of cyber warfare which include low-cost, less casualties, less awareness from the hostile side, and greater political gains, make it an important means of the national game. Billions of IoT devices, new technologies, chips, and the cloud will all be the surface for attacks; one country's critical infrastructure is the first to bear the brunt and become a target. How to protect the peace of the online world and the real world will become a proposition for the all countries, organizations and individuals to think seriously about.

References

Syria: https://en.wikipedia.org/wiki/Syria

Syrian Civil War: https://en.wikipedia.org/wiki/Syrian_Civil_War

Areas of control and cities targeted by airstrikes as of July 30, 2019: https://www.graphicnews.com/ar/pages/39385/--------_infographic

Syrian Electronic Army: https://en.wikipedia.org/wiki/Syrian_Electronic_Army

Free Syrian Army https://en.wikipedia.org/wiki/Free_Syrian_Army

Golden Rat Group – Targeted Attacks in Syria: http://blogs.360.cn/post/黄金鼠组织-叙利亚地区的定向攻击活动.html

Under the SEA - A Look at the Syrian Electronic Army's Mobile Tooling: https://i.blackhat.com/eu-18/Wed-Dec-5/eu-18-DelRosso-Under-the-SEA.pdf

New attack method of APT: http://blogs.360.cn/post/analysis-of-apt-c-27.html

Wanted by the FBI: Ahmed Al Agha: https://www.fbi.gov/wanted/cyber/ahmed-al-agha

Pat Bear Group (APT-C-37): http://blogs.360.cn/post/analysis-of-apt-c-37.html

National Front for Liberation: https://wikivividly.com/wiki/National_Front_for_Liberation

360 BeaconLab

360 BeaconLab is dedicated to Android virus analysis, mobile under-ground economy research, mobile threat warning, Android vulnerability research and Android ecosystem research. As one the top mobile security ecological research labs, 360 BeaconLab has published a number of influential Android Trojan analysis reports and Android Trojan under-ground economy industry chain research reports. The lab provides core security data and anti-Trojan solutions for 360 MobileGuard, 360 EmergencyKit, 360 MobileAssistant, etc. It also provides mobile application security detection services and comprehensive security solutions for hundreds of domestic and overseas manufacturers, app stores and other partner.