Media Releases

Researchers Uncover New Cyber-Espionage Operation Targeting the Syrian Opposition

August 2, 2016

Toronto, ON – A new report from the Citizen Lab at the Munk School of Global Affairs at the University of Toronto reveals a new cyber-espionage operation targeting the Syrian opposition.  The operation used clever deceptions to trick targets into opening malicious files and links containing malware capable of monitoring computers and Android phones.

The operation, which the researchers name Group5, was first uncovered when Syrian opposition politician Noura Al-Ameer received e-mails from “Assad Crimes,” a fictitious group. The e-mails included malicious PowerPoint documents containing malware.  Building from this discovery, the Citizen Lab team and collaborators, led by Senior Researcher John Scott-Railton, uncovered a website staging a variety of deceptively packaged malware targeting computers and Android phones.

Like many previously-reported operations, Group5 combines “just enough” technical sophistication, the use of obfuscation tools to hide from antivirus, and well-developed deceptions.

“Group 5 displayed a chameleon-like ability to borrow the language and style of the opposition. Social Engineering is a proven technique, and unfortunately human behavior can’t be “patched”. ” — John Scott-Railton, Citizen Lab, Research Team Lead and Senior Researcher

Malware attacks against the Syrian Opposition are nothing new.  The Citizen Lab and other researchers have tracked at least 4 campaigns since at least late 2011. Group5 stands out from these cases for its use of new tactics, tools, and infrastructure.

The Syrian Opposition has been the target of digital attacks for around 5 years, but we believe that Group5 is a new player in the game”– John Scott-Railton, Citizen Lab, Research Team Lead and Senior Researcher

Much of Group5’s activity suggests that the operators prefer working with Iranian-developed tools, and an Iranian hosting company.  While the report stops short of conclusively linking Group5 to a particular group, the evidence is strong enough that the researchers speculate that the group may be Iran-based.

“We do not attribute Group5 to a particular sponsor, but the operation has many features indicating that the operators may be Iranian, from tools, to language, to servers” –John Scott-Railton, Citizen Lab, Research Team Lead and Senior Researcher

The research shows how the internet, a powerful tool for online organizing and opposition movements, can also be leveraged by malicious groups. It also highlights the continued threat faced by the Syrian opposition, and its many partners, from malware campaigns.

“The report demonstrates yet again that civil society groups are persistently targeted by digital malware campaigns, and that their reliance on shared social media and digital mobilization tools can be a source of serious vulnerability when exploited by operators using clever social engineering methods.” Ron Deibert, Director of the Citizen Lab at the Munk School of Global Affairs, University of Toronto.

The Citizen Lab, based at the University of Toronto’s Munk School of Global Affairs, has an established track record of uncovering cyber espionage campaigns and other kinds of targeted digital attacks against human rights organizations.  For more about the Citizen Lab, see

For media inquiries, contact:

Dena Allen
Public Affairs & Engagement
Munk School of Global Affairs
University of Toronto
Tel: 416.946.0123

Guide on Citing in Media

Title: Group5: Syria and the Iranian Connection
By: John Scott-Railton, Bahr Abdulrazzak, Adam Hulcoop, Matt Brooks,  & Katie Kleemola
Published By: The Citizen Lab, Munk School of Global Affairs, University of Toronto
Publication Date: 3 August 2016
Report URL: