Cyberwar (2016) s01e05 Episode Script

Syria's Cyber Battlefields

1 Hundreds of thousands dead, millions displaced.
The syrian secret police got a lot better At monitoring social media.
The war is being fought both on the battlefield and online.
If you compromise them, Assad could come and have them arrested and then killed.
Hackers connected to the syrian regime Are targeting the opposition.
Isis is almost adopting everything That was successful in syria.
Sometimes, the consequences are lethal.
Was he a skilled hacker? Is syria the model for how future wars will be fought? As a national security reporter for vice, I followed the syrian war since the beginning.
In 2011, a popular democracy movement W up across the middle east.
It was fueled in part by social media, E known as the arab spring.
Yet syria was different.
It stayed quiet.
Run by a dictator named bashar al-assad, Citizens were terrorized by secret police, Mass surveillance, torture, And barely had any access to the internet.
Amidst protests in nearby countries, The assad regime made the mistake of restoring access To facebook and youtube.
Almost overnight, protests exploded across the country.
I needed to talk to someone who was on the streets When protests first went down.
Three weeks after I got there the street protests began, And that quickly overshadowed everything else we were doing.
Robert ford was the last us ambassador to serve in syria.
It couldn't have just been for benevolent reasons.
There must've been also a surveillance aspect to it.
When the revolution in syria started, initially I don't think The regular foot police and secret police goons Really understood what social media was.
I met once with a protestor, and he was detained.
This was in the suburbs of damascus.
When he was taken to the secret police station, They went through his backpack in front of him.
And they were taking everything out, and they said, "where is the facebook? Where is the facebook?" As if it was like a book with pages.
So that was early on.
As time went on, the syrian secret police got a lot better At monitoring people's computers and monitoring social media.
Protests continued, but assad wouldn't cede his power.
Tead, he sent soldiers try and quell the uprising.
The world watched the bloody crackdown play out on youtube.
Shad othman was uploading deos to youtube and facebook During the early days of the revolution.
It made him a target of the government, For his safety, we chose an anonymous location to talk.
Video content was the most important content We've lost a lot of our friends while they were filming.
Snipers targeting people with cameras? Snipers targeting people, or checkpoint will stop you And check what's in your phones.
But was the regime able to crack into facebook, or at least Hack into it in some way and get some of that information That would help them crack down on protestors? Yes, they were able to get a lot of accounts.
They were able to hack into A lot of syrian opposition leaders at that time.
And going back to may 2011, That was the first time when the syrian government implemented Man-in-the-middle attack Against the ssl certificate of facebook.
And explain to me what a man-in-the-middle attack is.
The term "man-in-the-middle attack" came because There is someone in the middle who's trying to attack you.
What the syrian government did at that time is They pushed to the users a fake ssl certificate.
Now, ssl is actually like an envelope and a key.
Key is with facebook.
Facebook is sending you an envelope to put your data in, Lock it, and then send it back to facebook.
But the syrian internet providers, They received the envelope from facebook, they replaced it With another one that they have the key for it.
Their own envelope.
Send it to the syrian users.
Users, they put their credentials, username, And passwords and messaging and post and etc.
Stuff.
They send it back.
Syrian internet providers opened it, Got a copy of data, then send it back to facebook.
Assad was now using the internet To expose entire networks of activists.
Once identified, they were often arrested then tortured, Sometimes to death.
The international media exploded with headlines Detailing police crackdowns and tales of torture, Creating a public relations nightmare for assad.
Soldiers defected from assad's forces.
Some formed the free syrian army, and the country Descended into a war tween rebels and the regime.
But assad still had his supporters, Some of whom were hackers.
They decided to form a cyber militia.
They called it the syrian electronic army.
Brian merchant is a reporter at motherboard, Who investigated the origins of the group.
We met up at vice's head offices in brooklyn.
The syrian electronic army Is an activist hacker group.
They're pro-bashar al-assad.
They want to reveal the media as frauds, They wanna reveal the free syrian army as terrorists.
And to do so, they basically institute A series of high-profile attacks.
So are they just propagandists? Ultimately that's what their role is, Yeah, is propagandists.
There were mostly website defacements, But sometimes they had real-world consequences.
The sea hacked the twitter account of the associated press And tweeted that the white house had been attacked.
It caused the us stock market to dive Until it was exposed to be a fake tweet.
At the top of the militia hierarchy Was a hacker known as th3pr0.
Brian received a tip allegedly exposing th3pr0's identity.
He contacted him.
I'd been asking him, you know, like we have this information About you, and we basically can peg you as the leader.
And he got really flustered and angry, And he denied it in a series of emails, And he said, "if you reveal me, then you will be hacked.
We will hack vice.
" Brian published his exposé.
Th3pr0 made good on his word, and vice was hacked.
I decided to track down th3pr0.
He agreed to chat online.
I asked him if the army of hackers He said "internet soldier" was the preferred term.
The real soldiers were on the battlefield.
I wanted to know if the sea Was under the official control of assad.
Th3pr0 was adamant that they weren't affiliated With the government regime, but that they did use Back channels to deliver important intelligence.
Those channels proved to be potentially dangerous For opposition protestors.
They were capable of collecting a lot of information, Hacking a lot of people.
They published around 11,000 accounts.
They were compromised in different ways.
And then passing this along to the regime? We've seen a lot of organizing between them And the syrian government, exchanging information between Each other or exchanging targets between each other.
Months after speaking with him, Th3pr0, or ahmed al agha as brian identified, Indicted for hacking-relatd rges by the us government.
The syrian electronic army Gained the attention of the world through pr-savvy hacks, But they weren't assad's only hacker allies.
In syria, what began as a popular democracy movement Rapidly escalated into a civil war.
Assad had responded on the battlefield With an aggressive campaign of barrel bombs.
Online, the syrian internet was now infected with malware.
Eva galperin is a hacker.
She started tracking cyber militias shortly after The street protests turned into a bloody conflict.
It wasn't long before her research revealed the dangerous New militia known as the syrian malware team.
They were using the internet to gather intelligence On opposition forces.
To begin with, there isn't just sort of one syrian malware team.
We were able to track At least two distinct actors in this space.
These two malware groups were targeting members of the Syrian opposition, so anybody who was opposed to assad.
And mostly these were people who were located inside of syria.
Sometimes in territory that assad still controlled, Sometimes in territory that assad no longer controlled, And sometimes members of the syrian diaspora, Which became sort of more influential and more powerful As the conflict has raged on, and more people have left.
And the tools they were using were very different.
Yes.
The malware teams that we were tracking were using Remote access tools like xtreme rat, darkcomet, blackshades.
And something like a rat, how does it work exactly? So a remote access tool is a tool that once an attacker Gets you to install it on your machine, Allows them to do anything that you can do on your computer.
So they can log all of your keystrokes, They can take screenshots, they can see through your webcam, They can listen through your microphone.
Anything that you're capable of doing, they can do, And then they can exfiltrate that data back Back to themselves.
And these remote access tools are very cheap or free, But they can still get you full control of somebody's computer If you can get somebody to install them on their computer.
In 2012, assad's forces used darkcomet To monitor opposition groups in aleppo.
They hid the malware in a pdf that claimed to hold Instructions on how to help the city, Which was under siege by the regime.
As soon as the target downloaded the pdf, The malware was installed, And assad's opponents were under surveillance.
These were people that were still in syrian territory, And territory controlled by assad.
And so if you compromise them, Things got very, very dangerous for them because assad could Come and have them, you know, arrested and then killed.
The cyberspace in syria now Is ridiculously, ridiculously dirty.
Full of malware, full of phishing, Full of a lot of cyber attacks That it truly made it an unsafe space for any user.
Different factions looking for intelligence They can feed to their groups.
They don't care if it's malware.
If it's gonna open a back door in your machine To some other faction, they don't care.
Sounds a lot like the actual war.
It is exactly like the actual war.
It is 100% a reflect for the actual war that's happening.
To further escalate syria's cyberwar.
Pro-assad hackers - difficult to attribute Ut now all over the syrian nternet - launched an attack Signed to steal battle plans rom the free syrian army.
The plans detailed a strategy to retake the town Of khirbet ghazaleh, a key city for the rebellion.
Nart villeneuve was working as a researcher for fireeye When he first discovered the hack, and he was the Rfect person to tell me how e battle plans were stolen.
There was hand-annotated maps.
Pictures of them were taken with cell phones And distributed to the fighting units.
Lists of individuals with their names, Phone numbers, whether or not they had weapons.
That stuff is extremely valuable in a conflict zone.
The hack wasn't technically complex.
Instead it relied on social engineering, A technique where hackers trick their targets Through psychological manipulation.
Hackers initiated contact through skype, Presenting themselves as beautiful women.
They would initiate conversations, Try to establish a little bit of rapport with them, Ask them to send them a picture of themselves, Flatter them a little bit, and then say, you know, "do you wanna see a picture of me?" When they would send that picture, Really that was the malware.
They would compromise that individual, and then they would Be able to harvest the full skype chat histories Of anyone else who used that computer as well.
We obviously can't jump straight to concluding who's ultimately Responsible, but it definitely looks like it is a group That is acting to benefit the assad regime, And has some sort of connection to lebanon.
It made sense that hackers in lebanon, possibly affiliated With hezbollah, might be supporting assad.
Hezbollah is iran's political proxy in lebanon, And iran is the syrian regime's ally.
We found a document that is supposedly a leaked document From syrian intelligence that we can't verify, That talks about the exact tactics that we see this group Using to target the opposition, including the use of fake female Personas to try to entrap individuals and other efforts To discredit the opposition online.
By 2013, hezbollah was engaging syrian rebels On the battlefield.
Now, pro-assad hackers based in lebanon Were engaging them in cyberspace too.
But support from syria's allies wasn't enough for assad to keep The islamic state.
In syria, the war was causing the country to fracture.
Then isis arrived.
The jihadis set up their capital in raqqa.
They took over the land and unleashed a wave of terror.
Like the electronic army and the malware teams That had come before them, the islamic state would also Go after their opponents on the digital frontline.
Their crimes were documented in high-profile execution videos, Distributed over the internet.
Rami abdul rahman knows what it's like To be targeted by isis.
He's a syrian activist who now lives in the uk After seeking asylum over 15 years ago.
His work exposing war crimes in syria made him a target.
He was hacked by the terror group supporters, Photoshopped in front of jihadi john, The infamous isis executioner, His data was targeted, nd his server was destroyed.
How did that make you feel, To see yourself in an orange jumpsuit? But who was behind the hack? I'd already been communicating With islamic state fighters online.
Some of them were as easy as a text message away.
Junaid hussain was allegedly one of these fighters.
In syria, he was known as abu hussain al-britani, The architect of the islamic state's cyber army.
But before he traveled to syria to join isis, Junaid was a regular kid from England best known as trick Of the now-disbanded uk acking collective, teamp0ison.
I traveled to newcastle To meet with junaid's former hacking colleague, mlt.
For security reasons, we can't show his face.
What was trick like back in the day Before all of this islamic state stuff? Trick hacked the email of tony blair's personal assistant.
Together with mlt, he flooded the anti-terror hotline of mi6 With prank phone calls.
Do you know about teamp0ison? I've heard about teamp0ison, yeah.
We embarrass governments, And the police.
Yeah They did it as an act of political protest, But also for the lulz.
It got them both arrested, but only junaid went to jail.
Did prison change junaid? How did he radicalize? Because I guess after the tony blair hack, He was probably one of the most famous hackers in britain.
Was he a skilled hacker? In August 2015, junaid was killed in a us air strike.
Before he was assassinate, aid is thought to have Carried out another cyber attack.
This one was designed to expose the location of the Islamic state's critics so they could be captured and killed.
In syria, cyber attacks were used by groups affiliated With the assad regime to wage war online.
When isis arrived, they seemed to adopt similar techniques To target their opponents.
Isis claims the men being executed in this video Are members of raqqa is being slaughtered silently, A group of activists who document and expose The atrocities of the so-called islamic state.
Hamood mohamed almossa is in charge of Cybersecurity for the group.
He agreed to skype with me from an undisclosed location.
Hamood, do you want to explain to me how isis was hunting down Members of your organization online? He can't fully prove it, but hamood believes junaid hussain Orchestrated the attack so that isis could locate And kill their opposition.
Fortunately, hamood wasn't fooled by the phishing attack, And he didn't download the malware.
But did others, and were they killed as a result? Isis is almost adopting everything That was successful in syria.
We're talking about images, we're talking about video, We're talking about cyber attacks.
And again, these were techniques that were essentially Tried and true from earlier phases of the syrian civil war.
Exactly.
And then here we are, they're adopting it again.
The war in syria showed that armies of hackers Can assist soldiers in the battlefield Because the tools are both easy to use and free to acquire.
That are increasingly available to everybody now.
So the whole idea is that these tools are no longer just in The hands of the chinese or russian or american government, That people like well, people like you and me, Only with far worse intentions, now have these tools and can Engage in relatively sophisticated spying.
And same goes for a battlefield.
Absolutely.
As the war becomes hot, and as, you know, Battlefield intelligence becomes more important, This sort of surveillance and espionage becomes Part of the battlefield and part of the battle plan.
In a lot of cases it's simple social engineering, But they're very effective at it.
The types of targets that they're going after are usually Individuals active on twitter and facebook so they don't need To use anything particularly advanced to get the job done.
In syria, the issue is not only the hacking itself, But the inability of the targets to protect themselves.
You can really no longer be sure what side you're seeing, Or what kind of actor is involved, Or whether you're seeing some sort of false flag.
It just gets murkier and murkier with every year.
Syria is a country, or used to be a country, That government is watching you by default.
You under surveillance by default.
Syrians, they were not able actually to To change their behaviours, to know that they have rights Of their own privacy, or to protect themselves.
So the same things apply now on what's going on in The cyber conflict in syria.
People have no knowledge about protection Or why do I have to protect myself.
I thought that I have pretty good security protocols When it comes to encryption or circumvention or Or even protocols dealing with people.
Unfortunately, until someone came, and he was a journalist Not from syria and he starts filming me, And he was arrested.
And they got access to all our information.
And that was the minute That I had to leave the country immediately.
So I found that security is not about yourself only, But it's about the whole network that you're working with.
When the pro-democracy movement started in 2011, Few could've imagined that syria would fracture Into deadly chaos.
And no one could've guessed what an important role The internet would play not only on the battlefield, But crushing free speech and political reform.
While the country's future hangs in the balance, Syria offers a terrible window Into how the battles of the future can unfold, Both off- and online.