Would you like to inspect the original subtitles? These are the user uploaded subtitles that are being translated: 1 00:00:01,435 --> 00:00:04,303 of thousands dead, millions displaced. 2 00:00:04,338 --> 00:00:07,172 The Syrian secret police got a lot better 3 00:00:07,208 --> 00:00:09,341 at monitoring social media. 4 00:00:09,376 --> 00:00:12,477 The war is being fought both on the battlefield and online. 5 00:00:12,513 --> 00:00:13,979 If you compromise them, 6 00:00:14,014 --> 00:00:17,015 Assad could come and have them arrested and then killed. 7 00:00:17,051 --> 00:00:19,151 Hackers connected to the Syrian Regime 8 00:00:19,186 --> 00:00:20,919 are targeting the opposition. 9 00:00:20,955 --> 00:00:23,455 ISIS is almost adopting everything 10 00:00:23,490 --> 00:00:25,757 that was successful in Syria. 11 00:00:25,793 --> 00:00:29,328 Sometimes, the consequences are lethal. 12 00:00:29,363 --> 00:00:30,796 Was he a skilled hacker? 13 00:00:35,903 --> 00:00:38,537 Is Syria the model for how future wars will be fought? 14 00:00:39,940 --> 00:00:49,948 ♪ 15 00:00:58,192 --> 00:01:00,325 As a national security reporter for VICE, 16 00:01:00,361 --> 00:01:03,161 I followed the Syrian War since the beginning. 17 00:01:03,197 --> 00:01:05,330 In 2011, a popular democracy movement 18 00:01:05,366 --> 00:01:07,366 blew up across the Middle East. 19 00:01:07,401 --> 00:01:09,534 It was fueled in part by social media, 20 00:01:09,570 --> 00:01:11,837 became known as the Arab Spring. 21 00:01:11,872 --> 00:01:13,639 Yet Syria was different. 22 00:01:13,674 --> 00:01:15,207 It stayed quiet. 23 00:01:15,242 --> 00:01:17,576 Run by a dictator named Bashar al-Assad, 24 00:01:17,611 --> 00:01:20,245 citizens were terrorized by secret police, 25 00:01:20,281 --> 00:01:22,347 mass surveillance, torture, 26 00:01:22,383 --> 00:01:25,250 and barely had any access to the internet. 27 00:01:25,286 --> 00:01:27,586 Amidst protests in nearby countries, 28 00:01:27,621 --> 00:01:30,055 the Assad Regime made the mistake of restoring access 29 00:01:30,090 --> 00:01:32,157 to Facebook and YouTube. 30 00:01:32,192 --> 00:01:35,727 Almost overnight, protests exploded across the country. 31 00:01:35,763 --> 00:01:38,163 I needed to talk to someone who was on the streets 32 00:01:38,198 --> 00:01:40,432 when protests first went down. 33 00:01:40,467 --> 00:01:43,702 Three weeks after I got there the street protests began, 34 00:01:43,737 --> 00:01:47,339 and that quickly overshadowed everything else we were doing. 35 00:01:47,374 --> 00:01:50,842 Robert Ford was the last US ambassador to serve in Syria. 36 00:01:50,878 --> 00:01:52,177 So when he did open up the internet, 37 00:01:52,212 --> 00:01:54,579 it couldn't have just been for benevolent reasons. 38 00:01:54,615 --> 00:01:56,948 There must've been also a surveillance aspect to it. 39 00:01:56,984 --> 00:02:01,153 When the revolution in Syria started, initially I don't think 40 00:02:01,188 --> 00:02:06,558 the regular foot police and secret police goons 41 00:02:06,593 --> 00:02:09,628 really understood what social media was. 42 00:02:09,663 --> 00:02:14,032 I met once with a protestor, and he was detained. 43 00:02:14,068 --> 00:02:16,101 This was in the suburbs of Damascus. 44 00:02:16,136 --> 00:02:18,870 When he was taken to the secret police station, 45 00:02:18,906 --> 00:02:20,405 they went through his backpack in front of him. 46 00:02:20,441 --> 00:02:22,541 And they were taking everything out, and they said, 47 00:02:22,576 --> 00:02:25,077 "Where is the Facebook? Where is the Facebook?" 48 00:02:25,112 --> 00:02:27,145 As if it was like a book with pages. 49 00:02:27,181 --> 00:02:29,815 So that was early on. 50 00:02:29,850 --> 00:02:34,486 As time went on, the Syrian secret police got a lot better 51 00:02:34,521 --> 00:02:38,557 at monitoring people's computers and monitoring social media. 52 00:02:39,760 --> 00:02:42,561 Protests continued, but Assad wouldn't cede his power. 53 00:02:42,596 --> 00:02:45,831 Instead, he sent soldiers to try and quell the uprising. 54 00:02:45,866 --> 00:02:49,835 The world watched the bloody crackdown play out on YouTube. 55 00:02:49,870 --> 00:02:52,504 Dlshad Othman was uploading videos to YouTube and Facebook 56 00:02:52,539 --> 00:02:54,439 during the early days of the revolution. 57 00:02:54,475 --> 00:02:56,241 It made him a target of the government, 58 00:02:56,276 --> 00:02:57,909 and he had to flee the country. 59 00:02:57,945 --> 00:03:00,979 For his safety, we chose an anonymous location to talk. 60 00:03:01,014 --> 00:03:04,249 Video content was the most important content 61 00:03:04,284 --> 00:03:05,650 coming out from Syria. 62 00:03:05,686 --> 00:03:07,853 We've lost a lot of our friends while they were filming. 63 00:03:07,888 --> 00:03:09,588 Snipers targeting people with cameras? 64 00:03:09,623 --> 00:03:11,022 Absolutely. 65 00:03:11,058 --> 00:03:13,425 Snipers targeting people, or checkpoint will stop you 66 00:03:13,460 --> 00:03:15,594 and check what's in your phones. 67 00:03:15,629 --> 00:03:18,597 But was the regime able to crack into Facebook, or at least 68 00:03:18,632 --> 00:03:21,500 hack into it in some way and get some of that information 69 00:03:21,535 --> 00:03:23,502 that would help them crack down on protestors? 70 00:03:23,537 --> 00:03:25,504 Yes, they were able to get a lot of accounts. 71 00:03:25,539 --> 00:03:26,938 They were able to hack into 72 00:03:26,974 --> 00:03:28,840 a lot of Syrian opposition leaders at that time. 73 00:03:28,876 --> 00:03:31,843 And going back to May 2011, 74 00:03:31,879 --> 00:03:35,947 that was the first time when the Syrian government implemented 75 00:03:35,983 --> 00:03:38,116 man-in-the-middle attack 76 00:03:38,152 --> 00:03:41,052 against the SSL certificate of Facebook. 77 00:03:41,088 --> 00:03:43,455 And explain to me what a man-in-the-middle attack is. 78 00:03:43,490 --> 00:03:46,191 The term "man-in-the-middle attack" came because 79 00:03:46,226 --> 00:03:49,027 there is someone in the middle who's trying to attack you. 80 00:03:49,062 --> 00:03:52,130 What the Syrian government did at that time is 81 00:03:52,166 --> 00:03:55,634 they pushed to the users a fake SSL certificate. 82 00:03:55,669 --> 00:03:58,970 Now, SSL is actually like an envelope and a key. 83 00:03:59,006 --> 00:04:01,206 Key is with Facebook. 84 00:04:01,241 --> 00:04:04,676 Facebook is sending you an envelope to put your data in, 85 00:04:04,711 --> 00:04:07,913 lock it, and then send it back to Facebook. 86 00:04:07,948 --> 00:04:09,648 But the Syrian internet providers, 87 00:04:09,683 --> 00:04:12,317 they received the envelope from Facebook, they replaced it 88 00:04:12,352 --> 00:04:14,486 with another one that they have the key for it. 89 00:04:14,521 --> 00:04:15,654 Their own envelope. 90 00:04:15,689 --> 00:04:16,988 Send it to the Syrian users. 91 00:04:17,024 --> 00:04:19,024 Users, they put their credentials, username, 92 00:04:19,059 --> 00:04:21,860 and passwords and messaging and post and etc. stuff. 93 00:04:21,895 --> 00:04:23,261 They send it back. 94 00:04:23,297 --> 00:04:25,330 Syrian internet providers opened it, 95 00:04:25,365 --> 00:04:27,732 got a copy of data, then send it back to Facebook. 96 00:04:29,203 --> 00:04:30,669 Assad was now using the internet 97 00:04:30,704 --> 00:04:32,904 to expose entire networks of activists. 98 00:04:32,940 --> 00:04:35,707 Once identified, they were often arrested then tortured, 99 00:04:35,742 --> 00:04:37,776 sometimes to death. 100 00:04:37,811 --> 00:04:39,578 The international media exploded with headlines 101 00:04:39,613 --> 00:04:42,180 detailing police crackdowns and tales of torture, 102 00:04:42,216 --> 00:04:44,916 creating a public relations nightmare for Assad. 103 00:04:44,952 --> 00:04:47,452 Soldiers defected from Assad's forces. 104 00:04:47,488 --> 00:04:50,088 Some formed the Free Syrian Army, and the country 105 00:04:50,123 --> 00:04:53,859 descended into a war between rebels and the regime. 106 00:04:53,894 --> 00:04:56,127 But Assad still had his supporters, 107 00:04:56,163 --> 00:04:58,530 some of whom were hackers. 108 00:04:58,565 --> 00:05:01,266 They decided to form a cyber militia. 109 00:05:01,301 --> 00:05:03,401 They called it the Syrian Electronic Army. 110 00:05:03,437 --> 00:05:05,904 Brian Merchant is a reporter at Motherboard, 111 00:05:05,939 --> 00:05:08,139 who investigated the origins of the group. 112 00:05:08,175 --> 00:05:10,642 We met up at VICE's head offices in Brooklyn. 113 00:05:10,677 --> 00:05:12,477 BRIAN: The Syrian Electronic Army 114 00:05:12,513 --> 00:05:14,880 is an activist hacker group. 115 00:05:14,915 --> 00:05:16,648 They're pro-Bashar al-Assad. 116 00:05:16,683 --> 00:05:19,551 They want to reveal the media as frauds, 117 00:05:19,586 --> 00:05:22,888 they wanna reveal the Free Syrian Army as terrorists. 118 00:05:22,923 --> 00:05:25,590 And to do so, they basically institute 119 00:05:25,626 --> 00:05:28,059 a series of high-profile attacks. 120 00:05:28,095 --> 00:05:29,561 So are they just propagandists? 121 00:05:29,596 --> 00:05:31,429 Ultimately that's what their role is, 122 00:05:31,465 --> 00:05:32,898 yeah, is propagandists. 123 00:05:32,933 --> 00:05:34,900 There were mostly website defacements, 124 00:05:34,935 --> 00:05:37,235 but sometimes they had real-world consequences. 125 00:05:37,271 --> 00:05:40,572 The SEA hacked the Twitter account of the Associated Press 126 00:05:40,607 --> 00:05:43,308 and tweeted that the White House had been attacked. 127 00:05:43,343 --> 00:05:44,743 It caused the US Stock Market to dive 128 00:05:44,778 --> 00:05:46,945 until it was exposed to be a fake tweet. 129 00:05:48,148 --> 00:05:49,447 At the top of the militia hierarchy 130 00:05:49,483 --> 00:05:51,816 was a hacker known as Th3Pr0. 131 00:05:51,852 --> 00:05:54,686 Brian received a tip allegedly exposing Th3Pr0's identity. 132 00:05:54,721 --> 00:05:56,421 He contacted him. 133 00:05:56,456 --> 00:05:59,024 I'd been asking him, you know, like we have this information 134 00:05:59,059 --> 00:06:02,661 about you, and we basically can peg you as the leader. 135 00:06:02,696 --> 00:06:05,830 And he got really flustered and angry, 136 00:06:05,866 --> 00:06:07,999 and he denied it in a series of emails, 137 00:06:08,035 --> 00:06:11,102 and he said, "If you reveal me, then you will be hacked. 138 00:06:11,138 --> 00:06:12,671 We will hack VICE." 139 00:06:12,706 --> 00:06:14,773 Brian published his exposé. 140 00:06:14,808 --> 00:06:18,343 Th3Pr0 made good on his word, and VICE was hacked. 141 00:06:18,378 --> 00:06:20,612 I decided to track down Th3Pr0. 142 00:06:20,647 --> 00:06:22,447 He agreed to chat online. 143 00:06:22,482 --> 00:06:24,616 I asked him if the army of hackers 144 00:06:24,651 --> 00:06:26,184 viewed themselves as soldiers. 145 00:06:26,219 --> 00:06:29,120 He said "internet soldier" was the preferred term. 146 00:06:29,156 --> 00:06:31,656 The real soldiers were on the battlefield. 147 00:06:31,692 --> 00:06:33,391 I wanted to know if the SEA 148 00:06:33,427 --> 00:06:36,161 was under the official control of Assad. 149 00:06:36,196 --> 00:06:37,796 Th3Pr0 was adamant that they weren't affiliated 150 00:06:37,831 --> 00:06:40,298 with the government regime, but that they did use 151 00:06:40,334 --> 00:06:43,134 back channels to deliver important intelligence. 152 00:06:43,170 --> 00:06:45,136 Those channels proved to be potentially dangerous 153 00:06:45,172 --> 00:06:47,639 for opposition protestors. 154 00:06:47,674 --> 00:06:49,908 They were capable of collecting a lot of information, 155 00:06:49,943 --> 00:06:51,810 hacking a lot of people. 156 00:06:51,845 --> 00:06:55,046 They published around 11,000 accounts. 157 00:06:55,082 --> 00:06:56,648 They were compromised in different ways. 158 00:06:56,683 --> 00:06:58,650 And then passing this along to the regime? 159 00:06:58,685 --> 00:06:59,851 Absolutely. 160 00:06:59,886 --> 00:07:02,487 We've seen a lot of organizing between them 161 00:07:02,522 --> 00:07:05,056 and the Syrian government, exchanging information between 162 00:07:05,092 --> 00:07:07,892 each other or exchanging targets between each other. 163 00:07:07,928 --> 00:07:09,861 Months after speaking with him, 164 00:07:09,896 --> 00:07:13,565 Th3Pr0, or Ahmed Al Agha as Brian identified, 165 00:07:13,600 --> 00:07:17,602 was indicted for hacking-related charges by the US government. 166 00:07:17,638 --> 00:07:19,537 The Syrian Electronic Army 167 00:07:19,573 --> 00:07:22,574 gained the attention of the world through PR-savvy hacks, 168 00:07:22,609 --> 00:07:25,210 but they weren't Assad's only hacker allies. 169 00:07:28,248 --> 00:07:30,882 BEN: In Syria, what began as a popular democracy movement 170 00:07:30,917 --> 00:07:34,319 rapidly escalated into a civil war. 171 00:07:34,354 --> 00:07:36,054 Assad had responded on the battlefield 172 00:07:36,089 --> 00:07:38,690 with an aggressive campaign of barrel bombs. 173 00:07:38,725 --> 00:07:41,493 Online, the Syrian internet was now infected with malware. 174 00:07:43,697 --> 00:07:45,664 Eva Galperin is a hacker. 175 00:07:45,699 --> 00:07:47,799 She started tracking cyber militias shortly after 176 00:07:47,834 --> 00:07:50,735 the street protests turned into a bloody conflict. 177 00:07:50,771 --> 00:07:53,171 It wasn't long before her research revealed the dangerous 178 00:07:53,206 --> 00:07:55,507 new militia known as the Syrian Malware Team. 179 00:07:55,542 --> 00:07:57,175 They were using the internet to gather intelligence 180 00:07:57,210 --> 00:07:58,977 on opposition forces. 181 00:07:59,012 --> 00:08:02,047 To begin with, there isn't just sort of one Syrian Malware Team. 182 00:08:02,082 --> 00:08:03,748 We were able to track 183 00:08:03,784 --> 00:08:06,818 at least two distinct actors in this space. 184 00:08:06,853 --> 00:08:11,823 These two malware groups were targeting members of the 185 00:08:11,858 --> 00:08:16,695 Syrian opposition, so anybody who was opposed to Assad. 186 00:08:16,730 --> 00:08:20,398 And mostly these were people who were located inside of Syria. 187 00:08:20,434 --> 00:08:23,401 Sometimes in territory that Assad still controlled, 188 00:08:23,437 --> 00:08:26,204 sometimes in territory that Assad no longer controlled, 189 00:08:26,239 --> 00:08:28,606 and sometimes members of the Syrian diaspora, 190 00:08:28,642 --> 00:08:31,710 which became sort of more influential and more powerful 191 00:08:31,745 --> 00:08:35,213 as the conflict has raged on, and more people have left. 192 00:08:35,248 --> 00:08:36,781 And the tools they were using were very different. 193 00:08:36,817 --> 00:08:38,249 Yes. 194 00:08:38,285 --> 00:08:43,121 The malware teams that we were tracking were using 195 00:08:43,156 --> 00:08:48,093 remote access tools like Xtreme RAT, DarkComet, Blackshades. 196 00:08:48,128 --> 00:08:50,195 And something like a RAT, how does it work exactly? 197 00:08:50,230 --> 00:08:54,733 So a remote access tool is a tool that once an attacker 198 00:08:54,768 --> 00:08:56,634 gets you to install it on your machine, 199 00:08:56,670 --> 00:08:59,938 allows them to do anything that you can do on your computer. 200 00:08:59,973 --> 00:09:01,873 So they can log all of your keystrokes, 201 00:09:01,908 --> 00:09:05,376 they can take screenshots, they can see through your webcam, 202 00:09:05,412 --> 00:09:07,545 they can listen through your microphone. 203 00:09:07,581 --> 00:09:09,748 Anything that you're capable of doing, they can do, 204 00:09:09,783 --> 00:09:12,317 and then they can exfiltrate that data back... 205 00:09:12,352 --> 00:09:13,885 back to themselves. 206 00:09:13,920 --> 00:09:17,555 And these remote access tools are very cheap or free, 207 00:09:17,591 --> 00:09:21,392 but they can still get you full control of somebody's computer 208 00:09:21,428 --> 00:09:24,429 if you can get somebody to install them on their computer. 209 00:09:24,464 --> 00:09:27,232 In 2012, Assad's forces used DarkComet 210 00:09:27,267 --> 00:09:29,734 to monitor opposition groups in Aleppo. 211 00:09:29,770 --> 00:09:32,070 They hid the malware in a PDF that claimed to hold 212 00:09:32,105 --> 00:09:34,105 instructions on how to help the city, 213 00:09:34,141 --> 00:09:36,341 which was under siege by the regime. 214 00:09:36,376 --> 00:09:38,143 As soon as the target downloaded the PDF, 215 00:09:38,178 --> 00:09:39,978 the malware was installed, 216 00:09:40,013 --> 00:09:42,747 and Assad's opponents were under surveillance. 217 00:09:42,783 --> 00:09:46,618 These were people that were still in Syrian territory, 218 00:09:46,653 --> 00:09:48,953 and territory controlled by Assad. 219 00:09:48,989 --> 00:09:51,022 And so if you compromise them, 220 00:09:51,057 --> 00:09:55,527 things got very, very dangerous for them because Assad could 221 00:09:55,562 --> 00:09:59,531 come and have them, you know, arrested and then killed. 222 00:09:59,566 --> 00:10:01,432 The cyberspace in Syria now 223 00:10:01,468 --> 00:10:05,303 is ridiculously, ridiculously dirty. 224 00:10:05,338 --> 00:10:07,338 Full of malware, full of phishing, 225 00:10:07,374 --> 00:10:09,474 full of a lot of cyber attacks 226 00:10:09,509 --> 00:10:13,178 that it truly made it an unsafe space for any user. 227 00:10:13,213 --> 00:10:14,679 Different factions looking for intelligence 228 00:10:14,714 --> 00:10:16,481 they can feed to their groups. 229 00:10:16,516 --> 00:10:17,816 They don't care if it's malware. 230 00:10:17,851 --> 00:10:19,884 If it's gonna open a back door in your machine 231 00:10:19,920 --> 00:10:22,153 to some other faction, they don't care. 232 00:10:22,189 --> 00:10:23,188 They just need to get access. 233 00:10:23,223 --> 00:10:24,689 Sounds a lot like the actual war. 234 00:10:24,724 --> 00:10:26,624 It is exactly like the actual war. 235 00:10:26,660 --> 00:10:30,061 It is 100% a reflect for the actual war that's happening. 236 00:10:31,431 --> 00:10:32,664 Soon, DarkComet was used 237 00:10:32,699 --> 00:10:35,033 to further escalate Syria's cyberwar. 238 00:10:35,068 --> 00:10:36,968 Pro-Assad hackers - difficult to attribute 239 00:10:37,003 --> 00:10:39,637 but now all over the Syrian internet - launched an attack 240 00:10:39,673 --> 00:10:42,740 designed to steal battle plans from the Free Syrian Army. 241 00:10:42,776 --> 00:10:45,176 The plans detailed a strategy to retake the town 242 00:10:45,212 --> 00:10:48,746 of Khirbet Ghazaleh, a key city for the rebellion. 243 00:10:48,782 --> 00:10:51,516 Nart Villeneuve was working as a researcher for FireEye 244 00:10:51,551 --> 00:10:53,651 when he first discovered the hack, and he was the 245 00:10:53,687 --> 00:10:56,588 perfect person to tell me how the battle plans were stolen. 246 00:10:56,623 --> 00:10:59,691 There was hand-annotated maps. 247 00:10:59,726 --> 00:11:02,093 Pictures of them were taken with cell phones 248 00:11:02,128 --> 00:11:05,163 and distributed to the fighting units. 249 00:11:05,198 --> 00:11:07,832 Lists of individuals with their names, 250 00:11:07,868 --> 00:11:10,535 phone numbers, whether or not they had weapons. 251 00:11:10,570 --> 00:11:13,838 That stuff is extremely valuable in a conflict zone. 252 00:11:13,874 --> 00:11:16,074 The hack wasn't technically complex. 253 00:11:16,109 --> 00:11:18,343 Instead it relied on social engineering, 254 00:11:18,378 --> 00:11:20,378 a technique where hackers trick their targets 255 00:11:20,413 --> 00:11:22,447 through psychological manipulation. 256 00:11:22,482 --> 00:11:24,883 Hackers initiated contact through Skype, 257 00:11:24,918 --> 00:11:26,885 presenting themselves as beautiful women. 258 00:11:26,920 --> 00:11:28,887 NART: They would initiate conversations, 259 00:11:28,922 --> 00:11:32,190 try to establish a little bit of rapport with them, 260 00:11:32,225 --> 00:11:34,959 ask them to send them a picture of themselves, 261 00:11:34,995 --> 00:11:36,928 flatter them a little bit, and then say, you know, 262 00:11:36,963 --> 00:11:38,229 "Do you wanna see a picture of me?" 263 00:11:38,265 --> 00:11:39,797 When they would send that picture, 264 00:11:39,833 --> 00:11:41,399 really that was the malware. 265 00:11:41,434 --> 00:11:43,868 They would compromise that individual, and then they would 266 00:11:43,904 --> 00:11:48,072 be able to harvest the full Skype chat histories 267 00:11:48,108 --> 00:11:51,643 of anyone else who used that computer as well. 268 00:11:51,678 --> 00:11:55,213 We obviously can't jump straight to concluding who's ultimately 269 00:11:55,248 --> 00:12:00,752 responsible, but it definitely looks like it is a group 270 00:12:00,787 --> 00:12:04,322 that is acting to benefit the Assad Regime, 271 00:12:04,357 --> 00:12:07,091 and has some sort of connection to Lebanon. 272 00:12:07,127 --> 00:12:09,594 It made sense that hackers in Lebanon, possibly affiliated 273 00:12:09,629 --> 00:12:12,397 with Hezbollah, might be supporting Assad. 274 00:12:12,432 --> 00:12:14,999 Hezbollah is Iran's political proxy in Lebanon, 275 00:12:15,035 --> 00:12:17,735 and Iran is the Syrian Regime's ally. 276 00:12:17,771 --> 00:12:20,438 NART: We found a document that is supposedly a leaked document 277 00:12:20,473 --> 00:12:23,107 from Syrian intelligence that we can't verify, 278 00:12:23,143 --> 00:12:27,478 that talks about the exact tactics that we see this group 279 00:12:27,514 --> 00:12:32,183 using to target the opposition, including the use of fake female 280 00:12:32,218 --> 00:12:36,354 personas to try to entrap individuals and other efforts 281 00:12:36,389 --> 00:12:38,623 to discredit the opposition online. 282 00:12:38,658 --> 00:12:41,759 By 2013, Hezbollah was engaging Syrian rebels 283 00:12:41,795 --> 00:12:43,161 on the battlefield. 284 00:12:43,196 --> 00:12:45,530 Now, pro-Assad hackers based in Lebanon 285 00:12:45,565 --> 00:12:48,499 were engaging them in cyberspace too. 286 00:12:48,535 --> 00:12:51,602 But support from Syria's allies wasn't enough for Assad to keep 287 00:12:51,638 --> 00:12:54,639 an emerging threat at bay: the Islamic State. 288 00:12:56,843 --> 00:12:58,910 BEN: In Syria, the war was causing the country to fracture. 289 00:12:58,945 --> 00:13:01,479 Then ISIS arrived. 290 00:13:01,514 --> 00:13:03,982 The jihadis set up their capital in Raqqa. 291 00:13:04,017 --> 00:13:06,884 They took over the land and unleashed a wave of terror. 292 00:13:06,920 --> 00:13:08,820 Like the Electronic Army and the Malware Teams 293 00:13:08,855 --> 00:13:11,889 that had come before them, the Islamic State would also 294 00:13:11,925 --> 00:13:14,993 go after their opponents on the digital frontline. 295 00:13:15,028 --> 00:13:17,729 Their crimes were documented in high-profile execution videos, 296 00:13:17,764 --> 00:13:19,630 distributed over the internet. 297 00:13:35,882 --> 00:13:37,615 Rami Abdul Rahman knows what it's like 298 00:13:37,650 --> 00:13:39,751 to be targeted by ISIS. 299 00:13:39,786 --> 00:13:41,919 He's a Syrian activist who now lives in the UK 300 00:13:41,955 --> 00:13:44,789 after seeking asylum over 15 years ago. 301 00:13:44,824 --> 00:13:47,959 His work exposing war crimes in Syria made him a target. 302 00:13:47,994 --> 00:13:50,128 He was hacked by the terror group supporters, 303 00:13:50,163 --> 00:13:51,963 Photoshopped in front of Jihadi John, 304 00:13:51,998 --> 00:13:53,798 the infamous ISIS executioner, 305 00:13:53,833 --> 00:13:56,801 his data was targeted, and his server was destroyed. 306 00:13:56,836 --> 00:13:58,136 How did that make you feel, 307 00:13:58,171 --> 00:13:59,871 to see yourself in an orange jumpsuit? 308 00:14:30,036 --> 00:14:32,003 But who was behind the hack? 309 00:14:32,038 --> 00:14:33,404 I'd already been communicating 310 00:14:33,440 --> 00:14:35,907 with Islamic State fighters online. 311 00:14:35,942 --> 00:14:38,843 Some of them were as easy as a text message away. 312 00:14:38,878 --> 00:14:41,846 Junaid Hussain was allegedly one of these fighters. 313 00:14:41,881 --> 00:14:45,850 In Syria, he was known as Abu Hussain al-Britani, 314 00:14:45,885 --> 00:14:49,353 the architect of the Islamic State's cyber army. 315 00:14:49,389 --> 00:14:52,190 But before he traveled to Syria to join ISIS, 316 00:14:52,225 --> 00:14:54,892 Junaid was a regular kid from England best known as TriCk 317 00:14:54,928 --> 00:14:59,097 of the now-disbanded UK hacking collective, TeaMp0isoN. 318 00:14:59,132 --> 00:15:00,865 I traveled to Newcastle 319 00:15:00,900 --> 00:15:03,701 to meet with Junaid's former hacking colleague, MLT. 320 00:15:03,736 --> 00:15:06,270 For security reasons, we can't show his face. 321 00:15:06,306 --> 00:15:08,239 What was TriCk like back in the day 322 00:15:08,274 --> 00:15:09,774 before all of this Islamic State stuff? 323 00:15:22,555 --> 00:15:24,889 TriCk hacked the email of Tony Blair's personal assistant. 324 00:15:24,924 --> 00:15:27,859 Together with MLT, he flooded the anti-terror hotline of Mi6 325 00:15:27,894 --> 00:15:30,061 with prank phone calls. 326 00:15:30,096 --> 00:15:31,762 JUNAID: Do you know about TeaMp0isoN? 327 00:15:31,798 --> 00:15:34,031 OPERATOR: I've heard about TeaMp0isoN, yeah. 328 00:15:34,067 --> 00:15:35,933 JUNAID: We embarrass governments, 329 00:15:35,969 --> 00:15:37,768 and ---- the police. 330 00:15:37,804 --> 00:15:39,904 OPERATOR: Yeah... 331 00:15:39,939 --> 00:15:42,373 BEN: They did it as an act of political protest, 332 00:15:42,408 --> 00:15:44,542 but also for the lulz. 333 00:15:44,577 --> 00:15:47,411 It got them both arrested, but only Junaid went to jail. 334 00:15:48,748 --> 00:15:50,548 Did prison change Junaid? 335 00:16:21,080 --> 00:16:22,480 How did he radicalize? 336 00:16:37,564 --> 00:16:39,197 Because I guess after the Tony Blair hack, 337 00:16:39,232 --> 00:16:41,465 he was probably one of the most famous hackers in Britain. 338 00:17:04,824 --> 00:17:06,390 Was he a skilled hacker? 339 00:17:28,615 --> 00:17:31,983 In August 2015, Junaid was killed in a US air strike. 340 00:17:32,018 --> 00:17:34,719 But before he was assassinated, Junaid is thought to have 341 00:17:34,754 --> 00:17:37,188 carried out another cyber attack. 342 00:17:37,223 --> 00:17:39,557 This one was designed to expose the location of the 343 00:17:39,592 --> 00:17:43,594 Islamic State's critics so they could be captured and killed. 344 00:17:46,299 --> 00:17:48,366 BEN: In Syria, cyber attacks were used by groups affiliated 345 00:17:48,401 --> 00:17:51,202 with the Assad Regime to wage war online. 346 00:17:51,237 --> 00:17:54,071 When ISIS arrived, they seemed to adopt similar techniques 347 00:17:54,107 --> 00:17:56,207 to target their opponents. 348 00:17:56,242 --> 00:17:58,876 ISIS claims the men being executed in this video 349 00:17:58,911 --> 00:18:01,512 are members of Raqqa Is Being Slaughtered Silently, 350 00:18:01,547 --> 00:18:03,948 a group of activists who document and expose 351 00:18:03,983 --> 00:18:06,784 the atrocities of the so-called Islamic State. 352 00:18:06,819 --> 00:18:08,919 Hamood Mohamed Almossa is in charge of 353 00:18:08,955 --> 00:18:10,955 cybersecurity for the group. 354 00:18:10,990 --> 00:18:13,591 He agreed to Skype with me from an undisclosed location. 355 00:18:13,626 --> 00:18:16,127 Hamood, do you want to explain to me how ISIS was hunting down 356 00:18:16,162 --> 00:18:18,863 members of your organization online? 357 00:18:18,898 --> 00:18:22,066 (Speaking Arabic) 358 00:19:05,011 --> 00:19:07,611 He can't fully prove it, but Hamood believes Junaid Hussain 359 00:19:07,647 --> 00:19:10,514 orchestrated the attack so that ISIS could locate 360 00:19:10,550 --> 00:19:12,249 and kill their opposition. 361 00:19:12,285 --> 00:19:15,086 Fortunately, Hamood wasn't fooled by the phishing attack, 362 00:19:15,121 --> 00:19:17,321 and he didn't download the malware. 363 00:19:17,357 --> 00:19:20,491 But did others, and were they killed as a result? 364 00:19:20,526 --> 00:19:22,827 ISIS is almost adopting everything 365 00:19:22,862 --> 00:19:24,762 that was successful in Syria. 366 00:19:24,797 --> 00:19:26,630 We're talking about images, we're talking about video, 367 00:19:26,666 --> 00:19:28,199 we're talking about cyber attacks. 368 00:19:28,234 --> 00:19:30,134 And again, these were techniques that were essentially 369 00:19:30,169 --> 00:19:33,304 tried and true from earlier phases of the Syrian Civil War. 370 00:19:33,339 --> 00:19:34,638 Exactly. 371 00:19:34,674 --> 00:19:37,308 And then here we are, they're adopting it again. 372 00:19:37,343 --> 00:19:39,443 The war in Syria showed that armies of hackers 373 00:19:39,479 --> 00:19:41,645 can assist soldiers in the battlefield 374 00:19:41,681 --> 00:19:45,316 because the tools are both easy to use and free to acquire. 375 00:19:45,351 --> 00:19:46,684 This is a set of tools 376 00:19:46,719 --> 00:19:48,819 that are increasingly available to everybody now. 377 00:19:48,855 --> 00:19:52,656 So the whole idea is that these tools are no longer just in 378 00:19:52,692 --> 00:19:56,360 the hands of the Chinese or Russian or American government, 379 00:19:56,396 --> 00:19:59,897 that people like-- well, people like you and me, 380 00:19:59,932 --> 00:20:04,034 only with far worse intentions, now have these tools and can 381 00:20:04,070 --> 00:20:06,337 engage in relatively sophisticated spying. 382 00:20:06,372 --> 00:20:08,172 And same goes for a battlefield. 383 00:20:08,207 --> 00:20:09,507 Absolutely. 384 00:20:09,542 --> 00:20:11,642 As the war becomes hot, and as, you know, 385 00:20:11,677 --> 00:20:13,811 battlefield intelligence becomes more important, 386 00:20:13,846 --> 00:20:17,348 this sort of surveillance and espionage becomes 387 00:20:17,383 --> 00:20:19,517 part of the battlefield and part of the battle plan. 388 00:20:19,552 --> 00:20:22,186 In a lot of cases it's simple social engineering, 389 00:20:22,221 --> 00:20:24,522 but they're very effective at it. 390 00:20:24,557 --> 00:20:26,924 The types of targets that they're going after are usually 391 00:20:26,959 --> 00:20:30,561 individuals active on Twitter and Facebook so they don't need 392 00:20:30,596 --> 00:20:34,365 to use anything particularly advanced to get the job done. 393 00:20:34,400 --> 00:20:37,201 In Syria, the issue is not only the hacking itself, 394 00:20:37,236 --> 00:20:40,538 but the inability of the targets to protect themselves. 395 00:20:40,573 --> 00:20:44,408 You can really no longer be sure what side you're seeing, 396 00:20:44,444 --> 00:20:47,545 or what kind of actor is involved, 397 00:20:47,580 --> 00:20:50,548 or whether you're seeing some sort of false flag. 398 00:20:50,583 --> 00:20:53,250 It just gets murkier and murkier with every year. 399 00:20:53,286 --> 00:20:55,753 Syria is a country, or used to be a country, 400 00:20:55,788 --> 00:20:58,589 that government is watching you by default. 401 00:20:58,624 --> 00:21:00,925 You under surveillance by default. 402 00:21:00,960 --> 00:21:04,261 Syrians, they were not able actually to... 403 00:21:04,297 --> 00:21:07,731 to change their behaviours, to know that they have rights 404 00:21:07,767 --> 00:21:10,401 of their own privacy, or to protect themselves. 405 00:21:10,436 --> 00:21:12,970 So the same things apply now on what's going on in 406 00:21:13,005 --> 00:21:14,472 the cyber conflict in Syria. 407 00:21:14,507 --> 00:21:17,575 People have no knowledge about protection 408 00:21:17,610 --> 00:21:19,710 or why do I have to protect myself. 409 00:21:19,745 --> 00:21:22,746 I thought that I have pretty good security protocols 410 00:21:22,782 --> 00:21:26,250 when it comes to encryption or circumvention or... 411 00:21:26,285 --> 00:21:28,886 or even protocols dealing with people. 412 00:21:28,921 --> 00:21:33,224 Unfortunately, until someone came, and he was a journalist 413 00:21:33,259 --> 00:21:35,993 not from Syria and he starts filming me, 414 00:21:36,028 --> 00:21:38,229 and he was arrested. 415 00:21:38,264 --> 00:21:41,065 And they got access to all our information. 416 00:21:41,100 --> 00:21:42,900 And that was the minute 417 00:21:42,935 --> 00:21:44,668 that I had to leave the country immediately. 418 00:21:44,704 --> 00:21:47,271 So I found that security is not about yourself only, 419 00:21:47,306 --> 00:21:49,406 but it's about the whole network that you're working with. 420 00:21:51,811 --> 00:21:54,445 When the pro-democracy movement started in 2011, 421 00:21:54,480 --> 00:21:56,814 few could've imagined that Syria would fracture 422 00:21:56,849 --> 00:21:58,983 into deadly chaos. 423 00:21:59,018 --> 00:22:01,318 And no one could've guessed what an important role 424 00:22:01,354 --> 00:22:04,021 the internet would play not only on the battlefield, 425 00:22:04,056 --> 00:22:06,757 but crushing free speech and political reform. 426 00:22:06,792 --> 00:22:09,527 While the country's future hangs in the balance, 427 00:22:09,562 --> 00:22:12,830 one thing has become certain: Syria offers a terrible window 428 00:22:12,865 --> 00:22:15,266 into how the battles of the future can unfold, 429 00:22:15,301 --> 00:22:17,468 both off- and online. 41737