Media Releases

Researchers Uncover New Cyber-Espionage Operation Targeting the Syrian Opposition

August 2, 2016

Toron­to, ON – A new report from the Cit­i­zen Lab at the Munk School of Glob­al Affairs at the Uni­ver­si­ty of Toron­to reveals a new cyber-espi­onage oper­a­tion tar­get­ing the Syr­i­an oppo­si­tion.  The oper­a­tion used clever decep­tions to trick tar­gets into open­ing mali­cious files and links con­tain­ing mal­ware capa­ble of mon­i­tor­ing com­put­ers and Android phones.

The oper­a­tion, which the researchers name Group5, was first uncov­ered when Syr­i­an oppo­si­tion politi­cian Noura Al-Ameer received e‑mails from “Assad Crimes,” a fic­ti­tious group. The e‑mails includ­ed mali­cious Pow­er­Point doc­u­ments con­tain­ing mal­ware.  Build­ing from this dis­cov­ery, the Cit­i­zen Lab team and col­lab­o­ra­tors, led by Senior Researcher John Scott-Rail­ton, uncov­ered a web­site stag­ing a vari­ety of decep­tive­ly pack­aged mal­ware tar­get­ing com­put­ers and Android phones.

Like many pre­vi­ous­ly-report­ed oper­a­tions, Group5 com­bines “just enough” tech­ni­cal sophis­ti­ca­tion, the use of obfus­ca­tion tools to hide from antivirus, and well-devel­oped decep­tions.

“Group 5 dis­played a chameleon-like abil­i­ty to bor­row the lan­guage and style of the oppo­si­tion. Social Engi­neer­ing is a proven tech­nique, and unfor­tu­nate­ly human behav­ior can’t be “patched”. ” — John Scott-Rail­ton, Cit­i­zen Lab, Research Team Lead and Senior Researcher

Mal­ware attacks against the Syr­i­an Oppo­si­tion are noth­ing new.  The Cit­i­zen Lab and oth­er researchers have tracked at least 4 cam­paigns since at least late 2011. Group5 stands out from these cas­es for its use of new tac­tics, tools, and infra­struc­ture.

The Syr­i­an Oppo­si­tion has been the tar­get of dig­i­tal attacks for around 5 years, but we believe that Group5 is a new play­er in the game”– John Scott-Rail­ton, Cit­i­zen Lab, Research Team Lead and Senior Researcher

Much of Group5’s activ­i­ty sug­gests that the oper­a­tors pre­fer work­ing with Iran­ian-devel­oped tools, and an Iran­ian host­ing com­pa­ny.  While the report stops short of con­clu­sive­ly link­ing Group5 to a par­tic­u­lar group, the evi­dence is strong enough that the researchers spec­u­late that the group may be Iran-based.

“We do not attribute Group5 to a par­tic­u­lar spon­sor, but the oper­a­tion has many fea­tures indi­cat­ing that the oper­a­tors may be Iran­ian, from tools, to lan­guage, to servers” –John Scott-Rail­ton, Cit­i­zen Lab, Research Team Lead and Senior Researcher

The research shows how the inter­net, a pow­er­ful tool for online orga­niz­ing and oppo­si­tion move­ments, can also be lever­aged by mali­cious groups. It also high­lights the con­tin­ued threat faced by the Syr­i­an oppo­si­tion, and its many part­ners, from mal­ware cam­paigns.

“The report demon­strates yet again that civ­il soci­ety groups are per­sis­tent­ly tar­get­ed by dig­i­tal mal­ware cam­paigns, and that their reliance on shared social media and dig­i­tal mobi­liza­tion tools can be a source of seri­ous vul­ner­a­bil­i­ty when exploit­ed by oper­a­tors using clever social engi­neer­ing meth­ods.” Ron Deib­ert, Direc­tor of the Cit­i­zen Lab at the Munk School of Glob­al Affairs, Uni­ver­si­ty of Toron­to.

The Cit­i­zen Lab, based at the Uni­ver­si­ty of Toronto’s Munk School of Glob­al Affairs, has an estab­lished track record of uncov­er­ing cyber espi­onage cam­paigns and oth­er kinds of tar­get­ed dig­i­tal attacks against human rights orga­ni­za­tions.  For more about the Cit­i­zen Lab, see

For media inquiries, con­tact:

Dena Allen
Pub­lic Affairs & Engage­ment
Munk School of Glob­al Affairs
Uni­ver­si­ty of Toron­to
Tel: 416.946.0123

Guide on Cit­ing in Media

Title: Group5: Syr­ia and the Iran­ian Con­nec­tion
By: John Scott-Rail­ton, Bahr Abdul­raz­zak, Adam Hul­coop, Matt Brooks,  & Katie Kleemo­la
Pub­lished By: The Cit­i­zen Lab, Munk School of Glob­al Affairs, Uni­ver­si­ty of Toron­to
Pub­li­ca­tion Date: 3 August 2016
Report URL: