The Iranian Connection

Today, the Citizen Lab is publishing a new report, authored by the Citizen Lab’s John Scott-Railton, Bahr Abdulrazzak, Adam Hulcoop, Matt Brooks, and Katie Kleemola of Lookout, entitled “Group 5: Syria and the Iran Connection.”

The full report is here:

Associated Press has an exclusive report here:

And, I wrote an oped for the Washington Post about our report, which can be found here:

This report describes an elaborately staged malware operation with targets in the Syrian opposition. We first discovered the operation in late 2015 when a prominent member of the Syrian opposition, Noura Al-Ameera, spotted a suspicious e-mail containing a PowerPoint slideshow purporting to show evidence of “Assad crimes.”  Rather than open it, Al-Ameera wisely forwarded it to us at the Citizen Lab for further analysis.  Upon investigation, we determined the PowerPoint was laden with spyware.

Following that initial lead, our researchers spent several months engaged in careful network analysis, reverse engineering, and mapping of the command and control infrastructure.  Although we were not able to make a positive attribution to a single government (a common issue in cyber espionage investigations), we were able to determine that behind the targeted attack on Noura Al-Ameera is a new espionage group operating out of Iranian Internet space, possibly a privateer and likely working for either the Syrian or Iranian governments (or both).

Citizen Lab has tracked four separate malware campaigns that have targeted the Syrian opposition since the early days of the conflict: Assad regime-linked malware groups, the Syrian Electronic Army, ISIS, and a group with ties to Lebanon. Our latest report adds one more threat actor to the list, which we name “Group5” (to reflect the four other known malware groups) with ties to Iran.

The report demonstrates yet again that civil society groups are persistently targeted by digital malware campaigns, and that their reliance on shared social media and digital mobilization tools can be a source of serious vulnerability when exploited by operators using clever social engineering methods.