21 February 2017

Investigating A Cyberwar


By Juliana Ruhfus 

Editor’s Note: As the Syrian civil war has played out on the battlefields with gunshots and mortars, a parallel conflict has been fought online. The Syrian Electronic Army (SEA), a pro-Assad government group of hackers, has wielded bytes and malware to obtain crucial information from opponents of the Assad regime. The extracted information has led to arrests and torture of dissidents. In this interview, GIJN’s Eunice Au talks to Al Jazeera’s Juliana Ruhfus about the methodology and challenges of her investigation into the SEA and the process of transforming the story into an online game. 

How did the idea for a documentary on the SEA come about? Who was part of your investigative team and how long did it take? 


I had the idea for the film when I came across a report called “Behind Syria’s Digital Frontline,” published by a company called FireEye, cybersecurity analysts who had come across a cache of 30,000 Skype conversations that pro-Assad hackers had stolen from anti-Assad fighters. The hack provided a unique insight into the strategic intelligence that had been obtained from the Skype conversations, including Google images plans that outlined the battle at Khirbet Ghazaleh and images of missiles which the rebels were trying to purchase. 

The fascinating thing was, it also shed light on how the hack was carried out. Pro-Assad hackers had created female avatars who befriended fighters on the front line by telling them how much they admired them and eventually asked to exchange photos. These images were infected with malware which proved devastating once downloaded. Computers in the field are shared by many fighters, allowing the hackers to spy on a large number of targets at once. 

When I read the report I had the Eureka moment that I wait for when I am looking for a new idea: I could visualize the “invisible” cyberwar story and, for the first time ever, I really understood the crucial role that social engineering plays in hacking, that is the hacker’s psychological skill to get someone to click on an infected link. 

I then shot the film together with director Darius Bazargan. Ozgur Kizilatis and Alexander Niakaris both did camera work and Simon Thorne was the editor. We filmed in London, Turkey, and France, and all together the production took just under three months. 

What were the biggest challenges in this investigation and how did you resolve them? 

We had four key challenges: 

First, Al Jazeera’s cyber security team had huge concerns about us making this film. Like most other news organizations, including NPR, the BBC and the Guardian, we had been hacked by the Syrian Electronic Army. The security team felt that making a film about this subject was like holding up a red flag to a bull and that the film would provoke more attacks. Luckily the senior manager of the department also understood that for a news organization this was an important story to tell and gave us a green light after agreeing that we’d have strict security protocols. 

Juliana Ruhfus speaks with a Syrian hacker, who was approached to join the SEA but declined. 

Secondly, we needed to demonstrate that the cyberwar could be just as deadly as on the ground. Through personal contacts and organizations that were teaching cybersecurity to activists, we found a number of interviewees who had been arrested because security services had hacked their social media networks or because security services wanted to obtain their passwords via torture to enter and map networks. This was quite a complex process; Many potential interviewees were deeply scarred by their prison experiences, all had friends who had died, and quite a few were worried about family members who were still in Syria. 

Thirdly, there was one story which we just couldn’t crack for TV. We had first-hand, verified testimony that a large aid and welfare organization aligned to the Syrian opposition government in exile had been hacked after a senior person had clicked on malware and was exposing its employees back in Syria to great risks. One person had already been arrested and shown hacked emails related to his work with this organization as proof of “wrongdoing.” The organization had been made aware of this but did not implement better info security measures. 

It was impossible to get this story properly on camera. At times it felt as if interviewing people about computer viruses was just like making a film about STD’s — nobody wanted to admit to having been hacked for fear that they could be held responsible for passing the virus on. 

What precautions did you take and which applications/chat platforms did you use to make sure your communications with sources were secure? 

Signal 

The security process was two-fold: Firstly, we were given sandboxed laptops from our security team for communication with anyone who might send us unsafe emails and links, in particular because we were intending to contact some of the hackers. We needed to work completely outside the rest of the Al Jazeera system. 

In terms of communicating safely with activists, we took our lead from organizations who trained them and asked them how they wanted to be in touch. Most opted for PGP encryption for emails and Signal for text and calls. 

How did you locate sources and verify them? Did you go undercover? Any advice for journalists on whether to go undercover or not? 

Syrian Electronic Army insignia 

Our story was very specifically about the Syrian cyberwar, so the key goal was to contact the pro-President Assad hackers, the Syrian Electronic Army. We contacted them via their website but we also got in touch with a journalist in Lebanon who had interviewed the SEA for a TV station that was politically aligned with President Assad. 

Generally I tend to be extremely honest when I contact people. I say who I am and that I appreciate the reasons why they would not talk to me, and then ask if there is anything that could change their mind. I find that instead of telling people what I want them to do, asking them what they would like to do works wonders, even with people who operate outside the law. As a TV reporter I need quite a degree of collaboration to get my interviewees in front of the camera, and email exchanges or phone calls don’t give me a film. 

We didn’t hear back from the SEA. This may be due to political reasons but today I also know that at the time the FBI was already very closely tracking members inside and outside Syria. We didn’t try to contact any other black-hat hackers because in the Syrian cyberwar story they were the key players. “Instead of telling people what I want them to do, asking them what they would like to do works wonders, even with people who operate outside the law.”

Instead I followed the story that one of the info security trainers told me. A young French coder, Jean Pierre Lesueur, had developed spyware called Dark Comet which the SEA had been using to hack activists. He did so when he was still in school and in the spirit of open source uploaded it and shared it for free. Jean Pierre had no idea that it would lead to arrests and even torture. He was naive at best, since in the U.S. Dark Comet was also used for financial fraud and it seemed that US law enforcement had been on his tracks at some stage. 

I found a contact for Jean Pierre online and emailed him, again being very honest and asking under what conditions he would accept an interview. We exchanged quite a few mails, and in the end agreed that his friend would video the entire encounter with us so that Jean Pierre would have a record in case we misquote or misrepresent him. This to me was reasonable providing that he would not publish the footage independently. 

For most viewers, the scene where Jean Pierre sits next to me on a park bench and hacks into my computer is the highlight of the film. It demonstrates how spyware functions by showing how he takes complete control of the keyboard, screen, microphone, and speaker of my laptop. For the purposes of a 25-minute film, that was a lot more impactful and important than going undercover online. It was also an amazing link to have interviewed the activists who had been hacked with Dark Comet and then to find the schoolboy coder who developed the spyware. Video: Brief clip of Jean Pierre hacking Juliana's laptop

As a print journalist, I would have probably spent more time going undercover online to find out how expensive it is to buy malware and/or commission and hire a hacker. To do so, I need to get an approval from my editor but my argument would be that there is public interest to reveal information about illegal acts and that this would make it okay to pose as a buyer. 

Why did you decide to gamify this investigation and what were the challenges in making this game? 

After “Pirate Fishing – An Interactive Investigation,” this is my second gamified project. My goal is to leverage our journalism content across different platforms to attract new and younger audiences. With both projects we found that over 80% of users were first time visitors to the Al Jazeera website. 

The first challenge was to develop a quest: “Investigate the Syrian cyberwar by collecting the maximum amount of information in the minimum amount of time without getting hacked yourself.” 

Then we had to create situations where the user had to take decisions that were either based on good journalism practice or internet security, and which resulted in gathering or losing information or incurring time penalties. Those were the metrics. Creating game rules in this way was new to me. 

To me the guiding principle was always that all content must be based on the journalism of our investigation. Each “virtual hack” that we expose the user to is based on a real hack that took place during the Syrian cyberwar. We copied the social engineering techniques to get users to click on bad links, and the text from a blackmail hack is taken ad verbatim from an SEA email in an FBI indictment. I was the only journalist on the team, and one person in particular got quite frustrated with me when I didn’t want to include hacks that were very creative but had not taken place in real life. 

Since we were developing a new format we also had to find a way of guiding the user through it, and that was harder than I thought from a UX and design point of view. It was incredibly important to remind the user throughout that the content was all real. During our user-testing, people really appreciated interviewing the people in our film in form from video clips and also being able to click on their social media links and ending up in the “real world.” 

What’s been the impact of the #Hacked game so far? 

We received a lot of media attention when we launched. As we were also covered by gaming sites, we reached audiences that would not normally watch an Al Jazeera investigation. 

I am still at a point where I see more flaws than success. It always takes me a while to get distance. Although everyone said “mobile first” is the answer, the analytics show most people ended up playing it on a computer but the project is not scaled for that. I also wish the app was down-loadable rather than a web app that you access via your browser; I think that would have much improved the user experience. 

Do you think other journalists should consider gamifying their investigative stories, too? Why? 

It turned out to be quite a complex thing to do, so everyone needs to decide if that is how they want to invest their time. For me the gratifying thing about this project was that the content as well as the format tell the story. In print or TV we would describe how a hack functions; In #Hacked the user experiences it. 

I also think that the process of decision-taking throughout the project creates an immersive and personalized experience of a news story that can prove to be addictive. I have been in A-Level school classes in London where the teacher used #Hacked to teach online security, and I saw some of the kids were hooked. And I thought “Great, they are getting some journalism about Syria through the backdoor!”

No comments: