Social Media Part of the Battlefield in Syria

Malware and exploits used to gather intelligence


Computer security researchers are accustomed to disturbing things popping up in their debuggers: zero-day exploits against unpatched security holes; sketchy JavaScript from compromised websites; sneaky, obfuscated code that has to be stripped down layer by layer to get to the truth of what it does.

But nothing prepared Morgan Marquis-Boire for what he saw last October while analyzing the contents of a malicious ZIP file found in Syria: a video of a civilian male being brutally slaughtered with a knife, then rolled into a shallow grave.

"Unthinkingly, once I'd managed to extract everything I actually watched the video, which I shouldn't have done," says Marquis-Boire. "It was actually really horrible. … It was probably one of the most traumatic days of malware analysis sitting at a desk in San Francisco that I've ever had."

For the last two years cyberwarriors loyal to Bashar al-Assad have made cyberspace a second front in the Syrian conflict. For nearly as long, Marquis-Boire and his colleagues Eva Galperin and John Scott-­Railton have been tracking and analyzing the arsenal of computer malware used against the Syrian opposition, journalists and NGOs. It's a very different kind of forensic analysis than researchers usually perform — urgent, chaotic, and with human lives on the line.

That's because the spyware circulating in Syria is used specifically to gather intelligence that winds up, according to the researchers, in the hands of the Assad regime, where it guides raids, attacks and arrests. In some cases, the military has rounded up suspected rebels and interrogated them about activities they conducted on their computers, without having seized the machine.