Iranians connected to phishing attempt on tortured Syrian activist

Former Syrian National Council vice-president Nour Al-Ameer fled to Turkey after being arrested and tortured by the Assad regime — that's when someone attempted to phish her and steal her identity with a fake Powerpoint attachment purporting to be about the crimes of the Assad regime.

Al-Ameer smelled a phish and sent the email to the University of Toronto's Citizen Lab (previously), who traced the attack and found a seemingly accidentally exposed logfile on the phishing site that points to the attack having an Iranian connection; "possibly a privateer and likely working for either the Syrian or Iranian governments (or both)."


Group5 stands out from the operations that have already been reported on: some of the tactics and tools used have not been observed in this conflict; the operators seem comfortable with Iranian Persian dialect tools and Iranian hosting companies; and they appear to have run elements of the operation from Iranian IP space.

Like a chameleon, Group5 borrows opposition text and slogans for e-mail messages and watering holes, showing evidence of good social engineering and targeting. However, Group5's technical quality is low, and their operational security uneven. This is a common feature of many operations in the Syrian context: since the baseline security of many of the targets is very low, many successful threat actors seem to conserve (and in some cases not possess) more sophisticated techniques. We believe we identified Group5 early in its lifecycle, before all of the malware that had been staged and prepared could be deployed in a full campaign.

Our analysis indicates that Group5 is likely a new entrant in Syria, and we outline the circumstantial evidence pointing to an Iranian nexus. We do not conclusively attribute Group5 to a sponsor, although we suspect the interests of a state are present, in some form. Group5 is just the latest addition to an expanding cast of actors targeting Syrian opposition groups, and its entry into the conflict shows the continuing information security risks that they face.

Group5: Syria and the Iranian Connection

[John Scott-Railton, Bahr Abdulrazzak, Adam Hulcoop, Matt Brooks, & Katie Kleemola/Citizen Lab]

How foreign governments spy using PowerPoint and Twitter
[Ron Deibert/Washington Post]

Experts see Iranian link in attempt to hack Syrian dissident
[Raphael Satter/AP]