A newly discovered global cyberespionage threat group has ties to a government intelligence agency in Lebanon, according to a joint report from Lookout Mobile Security and the Electronic Frontier Foundation (EFF). The previously unknown threat group has been named “Dark Caracal” by Lookout, a San Francisco-based mobile security company. The joint report released on 18 JAN by researchers at Lookout and the EEF say this threat group has been conducting a prolific and evolving cyberespionage campaign using mobile devices for at least six years with targets in over 21 countries across four continents.
- The targets are individuals and institutions including “governments, utilities, financial institutions, manufacturing companies, and defense contractors.”
- The report states that they identified “hundreds of gigabytes of data exfiltrated from thousands of victims, spanning 21+ countries in North America, Europe, the Middle East, and Asia,” including victims in the US.
- Dark Caracal used “a series of multi-platform surveillance campaigns that began with desktop attacks and pivoted to the mobile device.” Social media, phishing, and physical access methods were used to compromise targets accounts and devices.
- Android malware (called “Pallas”) and Windows malware (called “Bandook RAT”) were used to obtain screenshots and photos, record audio, view files, phone backups, text messages including secure messaging content, GPS locations, corporate documents, contacts, and account information.
- Dark Caracal purchases/uses mobile and desktop tools found on the dark web.
- Custom mobile spyware (Pallas) was found in trojanized Android apps that masqueraded and operated as legitimate apps like WhatsApp, Signal, Adobe Flash Player, and Google Play Push and were made available to targets in a false Android app store.
- This threat group may be operating out of the Beirut, Lebanon headquarters of the General Directorate of General Security (GDGS), a Lebanese government agency that “gathers intelligence for national security purposes and for its offensive cyber capabilities.”
- The location of the operations base was determined by correlating data generated by test devices and wi-fi network information as well as observing logins to the C2 server from IP addresses owned by the government of Lebanon that geolocate to an area near the GDGS building.
- According to an Associated Press article, the surveillance operation was discovered “after careless spies left hundreds of gigabytes of intercepted data exposed to the open internet…which includes nearly half a million intercepted text messages, had simply been left online”. The article continues with a quote from Lookout’s head of intelligence, Mike Murray, “It’s almost like thieves robbed the bank and forgot to lock the door where they stashed the money.”
- According to a Reuters article, “Major General Abbas Ibrahim, director general of GDGS, said he wanted to see the report before commenting on its contents. He added: ‘General Security does not have these type of capabilities. We wish we had these capabilities.’”
These findings are significant and surprising because of the methods used (primarily mobile), the scale of the operation (21 countries, thousands of targets speaking several languages, hundreds of gigabytes of exfiltrated data, multiple campaigns operating simultaneously), and Lookout Mobile Security’s ability to tie the operation to a specific government agency at a specific building address in Lebanon.
As Eva Galpern, director of cybersecurity at the EFF says, “Mobile is the future of spying, because phones are full of so much data about a person’s day-to-day life.” We have come to expect cyberespionage on a global scale only from large countries with an abundance of government support for cyber operations, but with malware and hacking services available for purchase on the dark web coupled the large prevalence of vulnerable mobile devices holding personal and professional information, we see that even country that was not previously considered to be a major player in international cyberespionage is capable of running a successful, large scale, long-running international surveillance campaign out of a building on a street corner in Beirut.
Lookout Security blog, Mobile Advanced Persistent Threat actor conducting global espionage campaign from Lebanon
Electronic Frontier Foundation Press Release, EFF and Lookout Uncover New Malware Espionage Campaign Infecting Thousands Around the World
Jerusalem Post, RESEARCH: LEBANON SPY AGENCY TARGETS SMARTPHONE USERS WORLDWIDE