Spooky AssadLeaks: The Provenance of the Emails

As I wrote in this post, I got interested in the provenance of a set of leaked Bashar al-Assad emails largely because of the way in which two of them were used to suggest, dubiously, Nir Rosen was an Assad agent.

The Guardian and Al Arabiya have both offered posts describing, in part, how they came by the emails, with the Guardian’s offering more details. The short version is:

March 15, 2011: Uprising escalates in Daraa.

Late March: “a young government worker in Damascus” handed off a slip of paper to a friend. The paper had four codes (plus or including the two email addresses, the Guardian is not clear) that would provide access to personal email accounts of Bashar al-Assad and his wife Asma. The friend was apparently supposed to pass them onto “a small group of exiled Syrians who would know what to do with them.”

June: “Two Syrian professionals in a Gulf state” obtain the emails. The Guardian doesn’t explain whether they were the original intended recipients, nor does it explain the delay. Though it does include a blurb describing their sudden awakening to politics that makes it clear the Guardian has spoken to at least one of the activists and replicated their self-narrative uncritically.

The uprising in the southern Syrian city of Deraa on 15 March had empowered them, as it had hundreds of thousands of others in the totalitarian state. They were now determined to do what they could to bring an end to more than four decades of rule by the Assad clan.

“It was clear who we were dealing with,” said one of the activists. “This was the president and his wife. There was no doubt.”

August 6: Sabu solicits Syrian MOD hacker to “disrupt govt communication systems.”

June to December: The emails are used with increasing frequency over time; Assad appears to build a PR strategy using them.

January: Anonymous (which had been infiltrated by the FBI since at least June, the same month the Syrian activists purportedly got the email codes) hacks Bashar al-Assad’s servers, accessing 78 different email accounts.

February 7: Anonymous releases the Assad emails which were published by Ha-aretz, claims the password was 12345. These are, at least in part, the very same emails being released today. Assad’s brother-in-law Firas al-Akhras emails him to tell him the inbox of the Ministry of Presidential Affairs had been leaked. All the emails are shut down.

March 15, 2012: The emails published.

In their narratives, neither the Guardian nor al Arabiya note that the FBI had been running Sabu since last June, precisely the same month the “activists” reportedly got the “secret codes” (12345?) that would allow them to access the Assad emails.

Now there are plenty of questions I have about this: Who was the mole, how did he or she get this information, who was the friend, what caused the 3-month delay. All of those questions, of course, are particularly interesting giving the coincidence of timing with the Sabu recruitment.

And why release these emails now? Just because of the one-year anniversary of Daraa, and the other events planned for the day?

Suffice it to say it feels a lot like outside entities–aside from whatever professionals-turned-activists purportedly monitored these accounts–were involved.

With that feeling in mind, two more details worth noting. First, al Arabiya’s story on how they got the emails focuses instead on what they didn’t publish: a bunch of “scandalous emails.”

Hundreds of “scandalous” emails were accordingly deleted by Al Arabiya.

By comparison, the Guardian said only it didn’t publish personal emails. Both sources, however, want people–perhaps including Assad?–to know that there were more emails that may be out there.

The other thing I find interesting is the detail the Guardian pays to Assad’s email habits.

[The Syrian activists in the Gulf state] soon noticed differences in the way the couple used their email accounts. “We had to be quick with Bashar’s emails,” one of the activists said. “He would delete most as soon as they arrived in his inbox, whereas his wife wouldn’t. So as soon as they went from unread to read we had to get them fast.”

Deleting emails as soon as they arrive shows a degree of awareness of web security. So too did the fact that Assad never attached his name or initials to any of the emails he sent. However, many of the emails that arrived in his inbox are addressed to him as president and contain intimate details of events and discussions that were not known outside of the inner sanctum and would have been very difficult to manipulate.

Even before I remembered that the same guy the Guardian claims was showing some web security used “12345” as his password, this entire passage sounded bogus, more like a way to provide cover for some other means to collect these emails that don’t involve more sophisticated wiretapping of packets, as opposed to email in-boxes.

But once you remember this is a guy who reportedly used “12345” as his password, then the entire claim Assad was practicing good security becomes laughable. Which makes this entire passage suspect.

There are two stories of how Bashar al-Assad got his emails hacked in the last year. In one version, Syrian activists managed to spy on their dictator in real time and are presumably releasing emails that lack a smoking gun (but did include “scandalous” emails) as a sort of anniversary present for Assad. The other story involves the FBI flipping at least one hacker and having him continue to hack at their command.

Or maybe there’s just one, far more intriguing story.

Marcy has been blogging full time since 2007. She’s known for her live-blogging of the Scooter Libby trial, her discovery of the number of times Khalid Sheikh Mohammed was waterboarded, and generally for her weedy analysis of document dumps.

Marcy Wheeler is an independent journalist writing about national security and civil liberties. She writes as emptywheel at her eponymous blog, publishes at outlets including the Guardian, Salon, and the Progressive, and appears frequently on television and radio. She is the author of Anatomy of Deceit, a primer on the CIA leak investigation, and liveblogged the Scooter Libby trial.

Marcy has a PhD from the University of Michigan, where she researched the “feuilleton,” a short conversational newspaper form that has proven important in times of heightened censorship. Before and after her time in academics, Marcy provided documentation consulting for corporations in the auto, tech, and energy industries. She lives with her spouse and dog in Grand Rapids, MI.

20 replies
  1. Bob Schacht says:

    Geez, EW, your closer sounds like Charles Dickens hooking the reader for the next serial installment of his original Tale of Two Cities. So we are obliged to ask, “pray tell what far more intriguing story is there?”

    Or is this a game of Clue?

    Anyway, in the spirit of intrigue, let me offer this WAG: The reason for the seemingly indiscriminate shelling of Homs was that Assad figured out that they had an independent media center right there in the middle of his country, and the only way to get rid of it was to carpet bomb and raze the place.

    Or maybe Assad leaked the emails himself to give the impression of being naive in many important details of security, in order to embolden the resistance and making them careless.

    Or maybe the chauffeur did it in the game room with an ethernet cable.

    Am I close? Getting warm?

    Bob in AZ

  2. MadDog says:

    I’m bothered about aspects of this story. While I have 30+ years experience in computer stuff, I must confess to no particular expertise with regard to email systems. I know a bit, but don’t in any way consider myself an expert.

    That said, in reading the Guardian piece, I don’t understand how this occurred:

    “…The activists intensified their efforts as Assad cracked down, monitoring the email accounts 24 hours a day from the comfort of their living rooms…

    …They soon noticed differences in the way the couple used their email accounts. “We had to be quick with Bashar’s emails,” one of the activists said. “He would delete most as soon as they arrived in his inbox, whereas his wife wouldn’t. So as soon as they went from unread to read we had to get them fast…”

    This implies to me that the Syrian expatriate activists had logged onto these 2 email accounts in order to monitor the inboxes, and that when Bashar al-Assad or his wife Asma logged on, the Syrian expatriate activists were still logged on to these very same email accounts.

    Again, I’m not an email expert, but what kind of primitive email system would allow multiple simultaneous logons to the very same email accounts? That is a first-order security breach that only a fool would have designed into an email system!

  3. emptywheel says:

    @MadDog: Which might support my contention that that might be cover for something else.

    Once I get back to real connectivity, I plan to compare what Anon took in February with what Guardian/Arabiya are releasing. The Anon take was broader, but it’d be interesting if there were Assad emails in the G/AA batch that weren’t in the Anon batch. If there were, whoever was pushing these would need some explanation, and continual observation might be one.

    That said, as I suggested in the post, the NSA (or Israel, not least since Narus’ tech was theirs first, and they’d be the kind of people working with people who had just turned activist) would presumably have the ability to go in and get the “emails” when they were still packets. So any subsequent deletion wouldn’t matter.

    That is, I think the “watching the email box” feels like a feint to suggest whoever was getting these were getting them from a less innocuous inbox (a word repeated in that story a bunch) and not from packets.

  4. What Constitution says:

    “12345”? That settles it: a regime deserving of collapse. Talk about a backwater country — the President hasn’t even seen “Spaceballs”? But then again, maybe he has, and this is his version of 11th dimensional thinking. I know you know that I know that you know that I know about 12345 as a password; ah, it’s just what they’d least suspect….

  5. MadDog says:

    @emptywheel: When I wrote my comment early this morning, I was going to write a longer one discussing other possibilities, but ran out of time (was heading to the YMCA for my morning workout).

    A Narus-style monitoring was clearly another possibility in my mind. And I like your idea that the spin of Syrian expatriate activists in the Guardian’s story makes for a nice cover-story for some intelligence organization operation.

  6. MadDog says:

    @emptywheel: Interesting. Very interesting!

    When I open that URL in a new tab, I get a 404 error. Confirming what you wrote EW that it seems to have been taken down.

    However, when I paste that URL in a Google search, I get a list of hits. The very first one that I open in a new tab successfully brings up that specific PDF image of a 2 page email (Hello dear…).

  7. jerryy says:

    @MadDog: “Again, I’m not an email expert, but what kind of primitive email system would allow multiple simultaneous logons to the very same email accounts? That is a first-order security breach that only a fool would have designed into an email system!

    This was / is pretty standard behavior, especially for places like universities where you might move from your office to your lab to your classroom quickly (yeah that is assuming you are among the staff or instructors). UNIX ™ as a system allows for multiple logins with the usual warning on the terminal output — that mail clients do not write to the screen.

    The current IMAP mail system is built this way, for example Google’s GMail allows up to 10 (ten) simultaneous connections.

  8. MadDog says:

    @jerryy: Can’t say that I think much of allowing multiple simultaneous logons. Not to email, not to systems, not to anything. Tis a major fundamental security breach waiting to happen.

    And I mean that to apply to regular users. System Administrators however, should always have doG-like powers. *g*

  9. jerryy says:

    @MadDog: And it does happen!

    For those of you wondering what we are talking about, do this if you use email providers such as Google, Yahoo, etc.: open your email program on your ‘desktop’ computer and start a draft message. Do NOT quit the program or do any thing else on that machine. Now open your smartphone email program (but go through your phone service provider, not your desktop service provider) and check your email. You are now logged in from two differeent places at the time.

    Massively convenient, eh? Especially for those that need to run lots of problems at the same time, while being in different places. Is it a security problem? It can be, so guard your username and passwords and do not share them with anyone, ever! Not sharing them will not stop the spooks, but it will stop the idly curious. If you are into recreational impossiblities, call your ISP and ask them to switch over to using encrypted email systems.

  10. orionATL says:

    packet filching, eh?

    that must take some clever wiretapping.

    if i send an email and somebody just snatches a packet or two or three thousand before i get the email, i never get part of it or i never get it at all. this could present a discovery problem for electronic spies, e.g.,:

    hi dad,

    we’ve run into a little problem up here. we’re out of artillery shells to zap the f—kers with. can you have a railcar load sent asap?



    so to get at packets in order to steal somebody’s email, it seems to me the (almost certainly gov’t sponsored) thief would have to

    -copy the packets on the fly (186k – some inconvenient friction) from the telephone or cable line, or

    – remove the packets from the information stream, copy them, and then put them back.


    copying emails once they’ve landed at their destination computer or server would seem to be a technically different kind of mail-theft game.

  11. orionATL says:

    @Bob Schacht:

    good thought.

    but while a splitter divides the information stream (and attenuates it’s strength) can it really replicate discrete packets of info as opposed to a continuous stream of, say, a televised basketball game?

    to put my question differently – is there a difference between steaming audio or video on the one hand, and packets of “written” information on the other?

    or is all internet info initially just indistinguishable packets – whether audio/video or language text?

  12. greengiant says:

    Doh, don’t all the packets have the ISP target address if not the sender address?
    And filching does not usually mean interrupting packets, although at least one US ISP provider is notorious for dropping email from several different places as they supposedly adjust their “spam” filters.
    “sniffing” might have been a better verb.
    Again, never use the internet for something you don’t want Hoover or your Mom to know, and never take your ONstar or Lojack car or your cell phone to the coin or gun stores.

  13. orionATL says:

    @Bob Schacht:

    you’re right, bob.

    “… Traffic associated with AT&T’s Common Backbone was “split” between two fibers, dividing the signal so that 50 percent of the signal strength went to each output fiber. One of the output fibers was diverted to a secure room; the other carried communications on to AT&T’s switching equipment. The secure room contained Narus traffic analyzers and logic servers; Narus states that such devices are capable of real-time data collection (recording data for consideration) and capture at 10 gigabits per second. Certain traffic was selected and sent over a dedicated line to a “central location” for analysis. According to Marcus’s affidavit, the diverted traffic “represented all, or substantially all, of AT&T’s peering traffic in the San Francisco Bay area,” and thus, “the designers of the … configuration made no attempt, in terms of location or position of the fiber split, to exclude data sources comprised primarily of domestic data.”[20]…”

    quote from the wikipedia cite by jerryy at #17 above.

  14. William Ockham says:

    Um, quickly deleting emails doesn’t mean Assad had an awareness of good web security. It might only mean that his email client was set up to delete all emails after downloading them to a local inbox. It is a setting on most email clients (such as Microsoft Outlook).

Comments are closed.