WASHINGTON — To the young Syrian rebel fighter, the Skype message in early December 2013 appeared to come from a woman in Lebanon, named Iman Almasri, interested in his cause. Her picture, in a small icon alongside her name, showed a fair-skinned 20-something in a black head covering, wearing sunglasses.
They chatted online for nearly two hours, seemingly united in their opposition to the rule of Bashar al-Assad, the Syrian leader still in power after a civil war that has taken more than 200,000 lives. Eventually saying she worked “in a programing company in Beirut,” the woman asked the fighter whether he was talking from his computer or his smartphone. He sent her a photo of himself and asked for another of her in return. She sent one immediately, apologizing that it was a few years old.
“Angel like,” he responded. “You drive me crazy.”
What the fighter did not know was that buried in the code of the second photo was a particularly potent piece of malware that copied files from his computer, including tactical battle plans and troves of information about him, his friends and fellow fighters. The woman was not a friendly chat partner, but a pro-Assad hacker — the photos all appear to have been plucked from the web.
To gain access to information on the devices of Syrian opposition members, hackers posed as women on Skype, identified the types of devices the targets were using and sent photos laden with malware. Below are excerpts from a chat between a target and a nonexistent woman, “Iman.”
Are you opening it on your mobile?
IMAN:
Computer and mobile
–
The plans called for retaking the town of Khirbet Ghazaleh, a strategic gateway to the major city of Daraa. In May 2013, Syrian troops had seized control of the town near the highway.
“The Assad regime’s biggest vulnerabilities over the last year have been in south Syria, so disrupting that operation would be key to the regime fending off an attack on Damascus from the south — the traditional route for invading armies,” said Andrew J. Tabler, a Syria specialist at the Washington Institute for Near East Policy. Mr. Tabler said he was not aware of the stolen information.
According to FireEye, which merged last year with the Mandiant Corporation, the company that has tracked Unit 61398, the Chinese Army’s hacking operation, the rebels shared photocopied battle plans, and in red ballpoint pen added defensive embankments, storing their plans electronically as pictures taken with their cellphones. They prepared for a battle involving 700 to 800 men, who were divided into groups to launch separate attacks, including an ambush. They used Google Earth to map their defensive lines and communicate grid coordinates.
They mapped locations for reserve fighters, staging areas and support personnel; settled on a field operations area; and planned supply routes for their forces, according to FireEye. Commanders received stern instructions not to make any “individual” decisions without approval from rebel superiors.
The battle details that the security service recovered are impressive. The rebels, who are not identified, would begin the attack with 120-millimeter mortar fire, followed by an assault against key Syrian Army locations. They drew up lists of men from each unit, with names, birth dates and other identifying information. But they stored them on their phones and laptops, and they were vulnerable to slightly customized versions of commercially available malware.
“It’s the democratization of intelligence,” said Laura Galante, a former Defense Intelligence Agency analyst who now works for FireEye and oversaw the Syria work. “We in the private sector can see some of this, and adversaries can steal it in a wholesale way and understand the full picture of an operation.”
And perhaps they can even stop an operation. The retaking of Khirbet Ghazaleh never materialized, Syria analysts say. It is unclear whether Syrian authorities thwarted the plot before it could be carried out, or if the rebels aborted the plan, perhaps suspecting the hacking or for some other reason.
A version of this article appears in print on February 2, 2015, on page A1 of the New York edition with the headline: Hackers Use Old Web Lure to Help Assad. Order Reprints| Today’s Paper|Subscribe
