We thank Noura Al-Ameer for collaborating with this investigation, and for
graciously agreeing to be included in this report. The targeted nature of many
cases means that, without the help of brave targets and victims, we are often left
with a very limited view of what is taking place.
We are exceptionally grateful to colleagues at Citizen Lab for comments, critical
feedback, and assistance with document preparation including Ron Deibert,
Bill Marczak, Morgan Marquis-Boire, Sarah McKune, Masashi Nishihata, Irene
Poetranto,Christine Schoellhorn, and Adam Senft. Thanks also to Justin Kosslyn
and Brandon Dixon for helpful feedback.
We would also like to thank the following teams: Lookout, PassiveTotal and RiskIQ,
VirusTotal, and Cisco’s AMP Threat Grid Team for data correlation.
Very special thanks to other investigators who wished to remain anonymous but
provided exceptionally helpful assistance, especially TNG and Tuka.
Note: the night sky image of Syria used as background for several illustrations is
from CIMSS at the University of Wisconsin Madison.This report describes a malware operation against the Syrian Opposition. We name the operator Group5, and suspect they have not been previously-reported. Group5 used “just enough” technical sophistication, combined with social engineering, to target computers and mobile phones with malware
