In a security breach of enormous proportions, the hackers appear to have deliberately targeted files that set out the financial and operational relationships between the Foreign, Commonwealth and Development Office (FCDO) and a network of private-sector contractors that have been covertly running media platforms in Syria throughout the nine-year foreign-backed war.

The Middle East Eye understands that between 200 and 300 highly sensitive documents are thought to have been acquired by the hackers.

Some of the documents have already been posted on the internet, and Foreign Office ministers and officials are bracing themselves for the possible appearance of more over the coming weeks.

While the hackers are not thought to have yet been identified, the sophistication of the cyber-attack has raised concerns at the FCDO that a state actor could have been responsible, with suspicion focusing on Russia.

In 2018, the UK foreign ministry claimed that Russian intelligence officers had attempted to hack into its computer systems.

The FCDO became aware of the breach last week, after some documents had been posted by the hacking collective known as Anonymous. Foreign Secretary Dominic Raab had been briefed at the weekend and other ministers were informed on Monday.

The documents shed further light on propaganda initiatives known in UK government circles as “strategic communications”, whose existence came to light four years ago.

The program aimed to promote “attitudinal and behavioral change” among Syrian audiences by fostering secular values, building resilience among the civilian population and by promoting what the UK government described as the Moderate Armed Opposition.

They show that British government contractors established radio stations, published Arabic- and English-language magazines, newspapers, books and children’s comics, designed posters and stickers, and helped to run opposition groups’ media offices.

One contractor is said to have distributed more than 660,000 printed items across Syria in six months.

The hacked documents also show how the “strategic communications” program has influenced the reporting of many major media organizations, with one contractor claiming to be in contact with 1,600 international journalists and other individuals able to help influence public opinion.

At the heart of the propaganda initiatives was a large network of Syrian citizen journalists, who were provided with training, equipment and encouragement by UK contractors – without the role of the British government being made explicit.

The documents posted on the internet in recent days identify not only private-sector contractors working for the Foreign Office, but also a number of the individuals who are running those companies.

However, the report said senior FCDO officials are less concerned about the contents of many of the documents – as the existence of the propaganda program had already been made public – than they are about the apparent ease with which the department’s computer systems were broken into.

Similar programs have been run in Syria by the UK’s Ministry of Defense, which does not appear to have been hacked.

The vulnerabilities can be exploited when a target downloads a video or other content that’s rendered by the chip. Targets can also be attacked by installing malicious apps that require no permissions at all, ArsTechnica reported.

From there, attackers can monitor locations and listen to nearby audio in real-time and exfiltrate photos and videos. Exploits also make it possible to render the phone completely unresponsive. Infections can be hidden from the operating system in a way that makes disinfecting difficult.

Snapdragon is what’s known as a system on a chip that provides a host of components, such as a CPU and a graphics processor. One of the functions, known as digital signal processing, or DSP, tackles a variety of tasks, including charging abilities and video, audio, augmented reality, and other multimedia functions. Phone makers can also use DSPs to run dedicated apps that enable custom features.

New attack surface

“While DSP chips provide a relatively economical solution that allows mobile phones to provide end users with more functionality and enable innovative features—they do come with a cost,” researchers from security firm Check Point wrote in a brief report of the vulnerabilities they discovered. “These chips introduce new attack surface and weak points to these mobile devices. DSP chips are much more vulnerable to risks as they are being managed as ‘Black Boxes’ since it can be very complex for anyone other than their manufacturer to review their design, functionality or code.”

Qualcomm has released a fix for the flaws, but so far it hasn’t been incorporated into the Android OS or any Android device that uses Snapdragon, Check Point said. When I asked when Google might add the Qualcomm patches, a company spokesman said to check with Qualcomm. The chipmaker didn’t respond to an email asking.

Check Point is withholding technical details about the vulnerabilities and how they can be exploited until fixes make their way into end-user devices. Check Point has dubbed the vulnerabilities Achilles. The more than 400 distinct bugs are tracked as CVE-2020-11201, CVE-2020-11202, CVE-2020-11206, CVE-2020-11207, CVE-2020-11208 and CVE-2020-11209.

In a statement, Qualcomm officials said: “Regarding the Qualcomm Compute DSP vulnerability disclosed by Check Point, we worked diligently to validate the issue and make appropriate mitigations available to OEMs. We have no evidence it is currently being exploited. We encourage end users to update their devices as patches become available and to only install applications from trusted locations such as the Google Play Store.”

Check Point said that Snapdragon is included in about 40 percent of phones worldwide. With an estimated 3 billion Android devices, that amounts to more than a billion phones. In the US market, Snapdragons are embedded in around 90 percent of devices.

There’s not much helpful guidance to provide users for protecting themselves against these exploits. Downloading apps only from Play can help, but Google’s track record of vetting apps shows that advice has limited efficacy. There’s also no way to effectively identify booby-trapped multimedia content.

“The attackers successfully manipulated a small number of employees and used their credentials to access Twitter’s internal systems, including getting through our two-factor protections”, the company said in a blog post on the matter.

The social media company said that the attackers appear to have used social engineering tactics to force employees to take certain actions and divulge key information, Sputnik reported.

From initial assessments, Twitter has found that the hack compromised 130 accounts, 45 of which “the attackers were able to initiate a password reset, login to the account, and send Tweets.” Additionally, the hackers took steps to begin downloading statistics from eight of those accounts.

​The hack which took place on Wednesday saw Barack Obama, Joe Biden, Elon Musk and more well-known US figures lose access to their accounts. The hackers then posted messages urging users to send bitcoin to an account to receive double the amount back.

Twitter was forced to issue a blanket ban on tweeting from all verified accounts.

The New York Times reported that the attack was coordinated between four people, one of whom said he was a Twitter employee. Two of the group, from the US and UK, reached out to the paper saying their participation involved hacking lesser-known accounts with attractive usernames for later reselling and had not anticipated the scale of the attack.

The hack saw the perpetrators rake in the bitcoin equivalent of $180,000 in a matter of hours. The Federal Bureau of Investigations has launched a probe into the attack.

The hack is the largest the company has ever experienced which may put a dent in the security reputation of what is essentially the world’s de facto wire service.