Hackers posing as Syrian-Canadians may be tied to ISIS

Hackers suspected of ties to ISIS posed as Syrian-Canadians to try to implant malicious software on a computer of a Syrian citizen media group, an internet watchdog says.

Malware aims to expose location of attacker's target

Kurdish Pershmerga troops have been fighting against Islamic State militants, but supporters of the jihadist group may be entering into a new battlefield: the internet. (Azad Lashkari/Reuters)

Hackers suspected of ties to ISIS posed as Syrian-Canadians to try to implant malicious software on a computer of a Syrian citizen media group, an internet watchdog says.

A Citizen Lab report released today says there's strong evidence that the Islamic jihadist group sent the phishing email in late November, but it's not conclusive.

"This bears little resemblance to anything we've seen from the usual suspects," said report co-author John Scott-Railton. "That, combined with who they are targeting … gives us pause and makes us think that maybe we're looking at ISIS malware."

If ISIS is responsible for the attempted attack on the citizen media group, it could mark an early warning sign that the group is embracing a new tactic in its fight to establish a caliphate.

Scott-Railton says that prospect should be "very concerning" for opponents of the Islamic State in Iraq and Syria, including humanitarian organizations, citizen media groups and Western governments. Canada is part of a U.S.-led coalition fighting ISIS in Iraq and Syria.

Scott-Railton, a research fellow with the Citizen Lab, based at the University of Toronto's Munk School of Global Affairs, says the group analyzed the malware and decided to publish the report to warn others of the potentially dangerous implant.

    The malware posed an "extreme threat" to the safety of members of the targeted group, Raqqah Is Being Slaughtered Silently (RSS), he said.

    How group targeted

    The email sent by hackers was carefully worded to instil the trust of the activists.

    "It was clearly done by someone who knew how the group was going to interact and had a pretty good sense that the group would find it credible," said Scott-Railton.

    It is a kind of unique development in how they control the message— Amarnath Amarasingam

    Hackers pretended to represent a group of Syrians residing in Canada who were preparing a news report on life in the northern Syria city of Raqqa, used as the de facto ISIS capital. It was a plausible alias since nearly 41,000 Canadians identify as Syrian.

    "We are working with media because we believe in the importance of shedding light on the realities of life in Syria, and Raqqa in particular," the hackers wrote.

    The email asked the citizens group to download a link containing its preliminary report and a map of Syria, asking them to check it for accuracy.

    The activist decided not to click on the malicious link and instead sent it to an online safety group. The email later ended up in the hands of Citizen Lab analysts, who have spent years examining the use of malware in the Syrian conflict.

    If the activist clicked on the link, malware would have have infected their computer and then emailed the attacker its IP address. Each time the activist turned on a computer, the hacker would receive IP information, essentially acting as a beacon to locate the individual.

    Many members of Raqqah Is Being Slaughtered Silently are not publicly identified because of safety concerns. However, the beacon would have given the hackers enough information to locate the member in the region, which has few internet cafés, many of which are ISIS run.

    A 'unique development'

    A large part of the reason Citizen Lab analysts suspect ISIS of the attempted attack is it was "not highly technical" like the ones it's seen over the years from supporters of the Syrian regime.

    Islamic State has declared the northern Syria city of Raqqa its capital. This photo supplied by Raqqa Is Being Slaughtered Silently shows the damage to the city after a recent Syrian government air strike. (Raqqa Is Being Silently Slaughtered/The Associated Press)

    Nor does it fit with any of the characteristics of Syrian regime-related attacks, which tend to use malware that allows remote access of the target's computer.

    ISIS also has clear motivation. The Islamist group has targeted Raqqah Is Being Slaughtered Silently in the past, reportedly kidnapping and killing members.

    Recently, ISIS supporters said the group had set up CCTV cameras. One supporter said on social media that the system could be used to track down members of the citizen media group.

    Amarnath Amarasingam, a post-doctoral student at Dalhousie University researching radicalization, says ISIS is obsessed about the image projected about it, particularly about Raqqa, the city it uses as a capital.

    "It is a kind of unique development in how they control the message," said Amarasingam.

    He says ISIS has attracted a number of foreign fighters from all walks of life, from graphic designers to computer scientists, so it's not surprising to see the Islamic State becoming cyber savvy.

    Junaid Hussain, a British hacker who was jailed for stealing former U.K. prime minister Tony Blair's address book in 2012 and publishing it, is believed to have travelled to Syria to join ISIS.

    Islamic State has expressed interest in electronic surveillance.

    Last week, a post to a pro-Islamic State forum carried a proposal for a project that would task a team of computer experts with hacking into the caliphate's enemies, according to the SITE Intelligence Group. 

    With files from The Associated Press


    To encourage thoughtful and respectful conversations, first and last names will appear with each submission to CBC/Radio-Canada's online communities (except in children and youth-oriented communities). Pseudonyms will no longer be permitted.

    By submitting a comment, you accept that CBC has the right to reproduce and publish that comment in whole or in part, in any manner CBC chooses. Please note that CBC does not endorse the opinions expressed in comments. Comments on this story are moderated according to our Submission Guidelines. Comments are welcome while open. We reserve the right to close comments at any time.

    Become a CBC Member

    Join the conversation  Create account

    Already have an account?