Hackers allegedly working for the government of Lebanon stole hundreds of gigabytes from thousands of victims all over the world, and they did it using phishing, relatively simple custom-made malware with no fancy zero-day exploits, and using recycled infrastructure, according to a new report.
Security researchers from digital rights organization Electronic Frontier Foundation and security firm Lookout were able to gain access to a server used by the hackers for more than three months, collecting evidence of several years-long espionage campaigns in more than 21 countries. As they detail in their new report, the data left on the servers by the hackers points directly to a building in Beirut that houses the General Security Directorate, Lebanon’s intelligence agency.
Got a tip? You can contact this reporter securely on Signal at +1 917 257 1382, OTR chat at firstname.lastname@example.org, or email email@example.com
For years, military powerhouses like China, Russia, and of course the United States dominated cyberspace, hacking each other’s systems and mounting complex espionage campaigns that sometimes spilled into the real world, damaging nuclear facilities and even meddling in an election. More recently, however, smaller countries, without a long history of cyberattacks, such as Iran, North Korea, or even Qatar and Kazakhstan, have started to catch up in the government hacking game. Lebanon is just the latest one to be caught.
“What used to be the realm of top-tier nation states is now the realm of whoever feels like writing some malware for a mobile phone,” Mike Murray, the vice president for security research at Lookout, said in a phone call. "This is not a 50 million dollar organization that is running this. […] And yet they’re still compromising a huge number of people, a huge number of targets, and stealing a huge amounts of data."
The researchers have dubbed the group Dark Caracal and they identified victims inside governments, militaries, utility companies, financial institutions, manufacturing companies and defense contractors going as far back as 2012. The researchers declined to give out more details about the targets. This makes them “the most globally active” government hacking group Lookout has seen to date, according to the firm’s researcher Michael Flossman.
Dark Caracal hackers primarily rely on the true and tested strategies of phishing, mostly using legitimate-looking apps that are actually laced with malware, or fake login pages for Facebook or Twitter. The data they steal includes chat messages, iPhone backups, computer screenshots, photos, call logs, and essentially anything that lives on a computer or Android device, according to the researchers.
The hackers used generic Windows malware, as well as commercial spyware made by the infamous government contractor FinFisher. But they also developed their own custom-made malware for Android, dubbed Pallas, according to the report.
One of the most interesting things about Dark Caracal is that it didn’t set up its own infrastructure to conduct its hacking operations, but reused some of the same infrastructure used by other nation-state hackers. In particular, it recycled some of the same servers and even some malware related to that used by the Kazakhstan government hackers identified by the EFF last year.
"There is someone who runs this infrastructure and it’s renting it out to various nation-state actors," Eva Galperin, the director of cybersecurity at the EFF, told me in a phone call.
That, of course, helps “helps muddy the waters," on who’s behind the operations, according to Flossman.
In this case, however, the researchers said they were able to pinpoint the actual building where the hackers operate thanks to a cluster of test devices that the hackers used to try out their malware and hacking tools—all data included in the hackers’ exposed server. Within that cluster, the researchers said they found several names of Wi-Fi networks that belong to the General Security Directorate in Beirut, something they said they were able to verify “on the ground.”
The Lebanese embassy in Washington DC did not respond to a request for comment.
"Phishing still works pretty well to get you to install the app"
The researchers stressed the fact that Dark Caracal isn’t overly sophisticated isn’t necessarily a good thing for potential victims.
"These actors are realizing that they no longer need to actually invest $100,000 or $200,000 license with FinFisher when they can easily develop these tools in house," Flossman said.
Moreover, not using fancy exploits like the iPhone jailbreak found in the wild last year allows them to target more people with a lower risk of burning expensive tools.
As Lookout security researchers put it: "phishing still works pretty well to get you to install the app."
Get six of our favorite Motherboard stories every day by signing up for our newsletter.