It’s been months since the French capital was hit by a wave of ISIL-inspired terrorism, famously targeting the magazine Charlie Hebdo and a Jewish supermarket. But unbeknown to the world, more strikes were underway. Computer hackers were planning a massive cyber attack, the target, TV5Monde, a global network of 12 French language channels.
April 8, 2015 was to be the launch date for this new lifestyle channel aimed at the Middle East. Network Controller Yves Bigot had spent the day hosting VIPs and ministers, but that very evening, things started going wrong.
YVES BIGOT, TV5MONDE: I just got a lot of calls and messages all at once. First and most important of all, all 12 of our channels went, you know, dark screen which is the worst that can happen when you work in television.
TV5‘s Internet sites, apps and social networks were also down. They were replaced by messages from a “cyber caliphate”. It seemed clear that the hack was carried out in retaliation against the French military’s involvement in the Middle East. Inside the machines the viruses continued to work, not just to take the channel off air, but to destroy it as a broadcasting entity.
YVES BIGOT: This is an attack that was very powerful, that was hugely financed, and took huge knowledge of our broadcasting systems.
So how did a TV station in France end up getting taken down by hackers and did they really have ISIL links? This was the start of our investigation into Syria’s cyber war, following a series of events that began four years ago when Syrians rose up against President Assad.
Early 2011. The Arab Spring is sweeping across the region. In Syria, demonstrators are demanding for President Assad to go. When security forces crack down... activists start filming, such as this event with peaceful demonstrators in a mosque in Damascus.
RAMI JARRAH, JOURNALIST: That day, we went home and wanted to upload the content, but the internet was slow and it was slow in whole of Syria. We had about 150 attempts and then I finally got on. I didn’t know anyone, but I posted it on the Facebook Syrian Revolution page and then a journalist contacted me and said, "Can I have the video? Can you give it to me in high quality?”
Rami Jarrah became one of Syria’s best-known media activists. Today he lives in Gaziantep, a town in south-eastern Turkey near the Syrian border.
RAMI JARRAH: Before I thought Facebook was stupid. I thought there’s no point of it. But, if I have a video that shows the protests to prove that there are people that are against Assad, and when Assad was saying, “No one is against me” - and we just wanted to prove it. It was our only line of expressing ourselves.
Digital media and the internet had become a weapon. As the revolution unfolded, the Assad regime was confronted not only by Syrians:
HACKERS: “Greetings to our friends around the world. We are anonymous, the global resistance to tyranny ... ”
Anonymous hackers accessed Syrian government websites, such as the Ministry of Defence and defaced it. Syrian activists would later hack into President Assad’s personal email to reveal intimate and embarrassing secrets that made headlines around the world. They were squarely against the regime.
HACKERS: Digital surveillance is common and upon the rest, many citizens are tortured until they reveal their social network accounts and passwords.
One of the activists detained by the government was Rami Jarrah.
RAMI JARRAH: In my arrest, I spent three days where I was tortured. But on the second day I was taken in for interrogation. Before, there weren’t really any questions, there wasn’t really anything they wanted, it was just mainly punishment. You’re protesting against the government, you know, but the questions were, first of all, they wanted my Facebook account.
Inside Syria the demonstrations had spread and the levels of violence increased. And suddenly the Syrian internet, which had always been painfully slow, improved. The security agencies had realized the role the internet was playing in mobilising people and started using it against the activists.
RAMI JARRAH: They wanted to get their friends. So they wanted to know who their friends were and they wanted to know all the IPs that this account has been accessed from. So if I’d gone into my Facebook account or my Gmail account, if I’ve done that from Ghaburn from some media office - and that’s a secret media office - then they knew where that media office was, and they would start cracking down on all of those houses.
President Assad had found a secret weapon - his very own hacking collective:
www.syrian-es.org: The Syrian electronic Army - nation, honour, loyalty!
They were positioning themselves in clear opposition to anonymous targeting, not only activists, but also international media organisations perceived to be biased against the regime.
www.syrian-es.org: If you approach us expect your complete annihilation.
We managed to make contact with a Syrian hacker whom the Electronic Army tried to recruit.
REPORTER: What did they want you to do?
HACKER: They wanted me to do, like, the software intelligence of the equipment they had. So I said, “OK, I will think about it.” He said, “We can monitor 8,000 IP addresses per second now, we have this technology.”
Our informant tells us not only was the hackers’ base extremely well equipped with technology, but also that generous salaries were offered to those who joined. Then he plays us a clip of an Assad speech where the President refers to the Electronic Army as a real army in a virtual war. Assad had clearly understood the importance of cyber war.
HACKER: I look at the Internet since the first day of hacking. It’s a weapon, you have a weapon. If you have two programming languages, you are a hacker officially, if you want to be. You have the whole world. You have all the guns you need.
One of the Syrian Electronic Army’s most powerful weapons came from France. It’s a so-called “Trojan”, a software that installs itself into people’s computers and spies on them without them ever noticing its presence. Jean-Pierre Lesueur, a young French computer whiz kid, started coding this software when he was still in his teens. He called it “Dark Comet”. He tells me his goal was to make a name for himself and, like other developers at the time, he uploaded the software for free.
JEAN-PIERRE LESUEUR, COMPUTER PROGRAMMER (Translation): The motivation was positive, it was about improving skills in a field that was rapidly expanding and not about causing trouble.
Jean-Pierre says he learned from a newspaper article that Dark Comet was used by the Syrian government against activists.
JEAN-PIERRE LESUEUR (Translation): It was never intended to be used by governments, that was something that really overwhelmed me and the others as well. It was not the goal and I could have never imagined it, because usually the military develop their own software and don’t use existing software or freeware.
Jean-Pierre offers to show me how Dark Comet works. In Syria pro-Assad hackers had disguised the spying programme as a skype security update to trick activists into clicking it.
REPORTER: I’ve just got a message here which says “sorry programme could not run normally, please try again later.”
JEAN-PIERRE LESUEUR: Yes. Exactly. Generally hackers use fake messages, to not be suspected.
REPORTER: Ok, so I will press “OK” as everybody would do and now it’s gone.
JEAN-PIERRE LESUEUR: And then I can see the connection between you and me.
REPORTER: And then what happens next?
JEAN-PIERRE LESUEUR: I can do anything I want. So as you can see now I can see your computer entirely, so I can even open something like “start menu”, “go to computer”. I control everything. I can do whatever I want. Alright. I can open the CD door!
JEAN-PIERRE LESUEUR: I can see that you have a Google account called “Juliana in Paris-2”.
REPORTER: I just created it, yeah.
JEAN-PIERRE LESUEUR: You’ve just created that! And the password is “My secret password”.
REPORTER: So you basically stole my password already?
But Jean-Pierre can go further. As well as looking at my computer, he can spy on me.
REPORTER: So you can actually watch me on your computer through my camera and I don’t even see that it is running.
JEAN-PIERRE LESUEUR: Exactly. So “Hello I hacked your computer”.
SPEAKER: Hello I hacked your computer.
JEAN-PIERRE LESUEUR: So you can hear what I’m saying and I can also press the button “capture”, then I can what you’re saying at real time.
REPORTER: Ok, so basically if I don’t know that you’re there, and I’m talking into my computer, you can listen to everything.
JEAN-PIERRE LESUEUR: It’s like if your drive was my drive.
REPORTER: So you’ve completely taken control of my computer, basically.
JEAN-PIERRE LESUEUR: Absolutely, yes!
But however powerful spying software may be, it only works once the computer user has clicked the malicious link. In response to the ever greater number of attacks a cyber security industry has emerged. Laura Galante is a Senior Threat Intelligence Analyst with FireEye. Her research shows a whole new way in which Dark Comet has been used - on the battlefield. Laura explains that Syrian opposition fighters were contacted via Facebook or match-making sites by seemingly beautiful women.
LAURA GALANTE, CYBER THREAT ANALYST: This is a perfect example of social engineering that is so targeted and narrowly focused that they are almost guaranteed to get their victim. In this case you have Syrian opposition fighters away from home, probably not a whole lot of contact! Right? With a seemingly interested and flirtatious Skype message. It’s a trick that’s gone on since the beginning of time, right? We’re just now seeing it in a networked dimension.
Since the early days of anti-Assad protests Syria has become engulfed in a full-blown war. What FireEye uncovered is how pro-regime hackers accessed 31,000 number of Skype conversations, many relating to the battle of Khirbet Ghazaleh - a military encounter in 2013 during which opposition forces lost access to crucial supply routes.
LAURA GALANTE: What we saw stolen around that battle and the discussions around it were very granular details around the planning. So 700 or 800 members of the opposition would be involved, the calculations of how many munitions were needed per person, the Excel spread sheets that laid out the formula for creating that.
The hacked material contained some advanced strategic battle planning.
LAURA GALANTE: This for example is the pen markings that one of the opposition victims is drawing onto what looks like a Google map kind of phone snapshot that he uploaded into a Skype conversation while he was talking to another victim and as these two opposition members discuss what’s the offensive line going to look like, what’s this battle going to look like, they’re planning for very tactical 'Take this hill, move around this corner' that type of level of direction that would be needed to plan a successful operation.
It is clear that since the early days of the revolution pro-Assad hackers have become much more capable. On the Syrian Electronic Army website the group not only brags about hacking opposition military leaders but also the countries who support them. Websites belonging to governments and ministries in Qatar, Saudi Arabia and Turkey have all been hacked and diplomatic and strategic secrets were revealed.
Turkey in particular has been a target. It has long supported the Syrian rebellion and it is home to Syrian activists and fighters. We’ve come to the border region to meet a rebel communications specialist. He’s taken us to a hilltop where Syria is laid out before us.
COMMUNICATIONS SPECIALIST: So this is the FSA?
REPORTER: Okay. So these are your people.
Cyber warfare may be on the rise but there is still information to be gleaned by using traditional radio scanners to intercept military communications between Syrian government forces.
COMMUNICATIONS SPECIALIST: Sometimes we can find the regime frequencies and we can expect some of their plans.
REPORTER: But sometimes you get information that gives you a military advantage?
COMMUNICATIONS SPECIALIST: Yes, sometimes. Sometimes. Especially when there is a special operation.
But suddenly we’re listening to altogether different voices.
COMMUNICATIONS SPECIALIST: This maybe ISIS. Maybe this one is ISIS, because they have different accents than the Syrians.
REPORTER: They are foreign fighters?
COMMUNICATIONS SPECIALIST: Yes, I think so. Yes, this one is for ISIS - they use security codes, so it’s not that easy to understand what they’re doing.
REPORTER: So, ISIS are more security conscious?
COMMUNICATIONS SPECIALIST: Yes, yes they are.
It is here in Kilis that many western jihadis crossed into Syria to go and fight with ISIL attracted by the group’s vast and sophisticated social media output. Earlier this year this brought Anonymous back on the scene with a rather grandiose message:
HACKERS: ISIS, we will hunt you, take down your sites, accounts, emails and expose you.
Anonymous published over 900 ISIL twitter accounts, websites and emails leading to their closure.
HACKERS: You will be treated like a virus and we are the cure.
But it is from inside Syria that a much less known and far more courageous digital protest is carried out. Activists who once confronted President Assad now live in ISIL controlled territory. I have arranged to meet a group called Raqaa is Being Slaughtered Silently or RSS. Under huge risk they record images of daily life and smuggle them out via a tightly controlled system of encrypted servers. Their goal is to bring media attention to the ISIL controlled areas where almost all journalists have been arrested.
SARMAD AL JILANI, CYBER ACTIVIST (Translation): ISIL said there were no reporters in Raqqa, so we filmed the city’s main streets and posted the videos online to prove ISIL wrong.
To prevent ISIL from gaining information about the size of the reporter or the time of the day they blanked out his shadow. When an ISIL patrol van passes by the reporter is nearly caught. The group’s response upon publication of the clip was immediate.
SARMAD AL JILANI (Translation): Once we released it, ISIL posted on their twitter page pictures from five cameras trying to analyse what time the video was shot and the height of the reporter, they wanted to know any details to find out who made the video.
RSS work is incredibly risky, when their campaign was launched ISIL arrested 70 people simply for changing their Facebook picture to the RSS logo. And last year ISIL executed one of the campaign founders, al Moataz Billah Ibrahim.
SARMAD AL JILANI (Translation): We do not fight ISIL or Nusra Front themselves, we fight extremism that is foreign to Syrian society.
Back in Gaziantep we have arranged to meet Rami Jarrah again. Since he’s left Syria he’s set up a radio network to promote civil society.
RAMI JARRAH: So this is the Studio 1 for radio ANA and we have a program called Ma Ahnas 'With the people'. It’s an hour and a half – and we are interviewing a judge throughout, who defected from the Syrian government. This is now being broadcasted live.
It broadcasts from rebel areas into regime held territory.
RAMI JARRAH: If there wasn’t any media then the authority now in Syria could do what it wants. There’s no-one to talk about it. We don’t see our station itself becoming this mighty power but we think it’ll encourage other groups.
Up on the roof Rami Jarrah and his Radio ANA crew are assembling a new, internet-based transmission system that they plan to secretly smuggle across the border.
REPORTER: Do you think the cyber element of the conflict is going to be a blueprint for future conflicts to come?
RAMI JARRAH: Definitely, definitely. I think the Syrian government made a very clever decision, they took it very seriously. They took it very seriously. They weren’t advanced before the conflict, but just after the conflict began, the uprising began, we could see the difference. We could see how they advanced themselves and it was obvious that they were getting help.
REPORTER: What do you think should happen to foreign companies who came and supplied the regime with that expertise?
RAMI JARRAH: I think they should be dealt with very firmly. I think the companies should be banned from selling in that region all together, or something. There should be some sort of consequences.
And there are people determined to ensure that there will be consequences. Paris-based human rights lawyer, Clemence Bectarte, has prepared a case against the French network intelligence company QOSMOS. FIDH alleges Qosmos was planning to help supply Assad’s secret police with a cyber-monitoring set up called Asfador.
CLEMENCE BECTARTE, INTERNATIONAL FEDERATION FOR HUMAN RIGHTS: It’s a whole system composed of hardware and software and this programme enables Syrian intelligence services, having a monitoring facility in their compounds, to be able to monitor in real-time all the electronic communication being exchanged in Syria using key words. So you have access to all the IP addresses and then you can identify from whom it’s coming, from where it’s coming.
Bectarte accuses Qosmos of being complicit in acts of torture saying its technology helped track down activists. But the company denies this saying it pulled out of the sale before the operational phase. The case has now gone before the Paris Court’s war crimes unit where the investigating judge has made Qosmos an 'assisted witness' thereby forcing the company to speak in court and under oath. Bectarte hopes that the next step will be a formal indictment.
CLEMENCE BECTARTE: What we want to achieve is to raise the question of accountability of these companies. Can such companies such as Cosmos, but others, can consider selling such material. Can they do so without being held accountable, without any kind of regulation, any kind of control and continue to sell these types of equipments to regimes which use them to better repress human rights defenders and activists?
Back at TV5Monde the investigation has taken a surprising turn. French officials are silent, but credible reports from private analysts say the attack came from a Russian hacking group APT28 pretending to be ISIL. Given the Russian government’s closeness to the Assad regime, this is not at all impossible.
REPORTER: Do you think we are entering a new era of hacking and electronic warfare?
YVES BIGOT: Oh yes. That's for sure, that we are the example for the general public, to understand that there's a new war that's going on now which is a cyber war, which, means that your territory is not attacked by soldiers or by tanks but that there's a war in the cyberspace going on.
As the Syrian revolution descended into a brutal war, the rest of the world watched on from a position of safety. But cyber war respects no borders…
SARMAD AL JILANI (Translation): It does not matter where they are, because all their work and hacking is online, so wherever they are they are still our enemies because what matters is their work not their location.
Thousands of attacks take place around the world each day. Most are aimed at commercial targets but the Syrian conflict is a likely blueprint for the way future wars will be played out.
6th October 2015