A major cyber-espionage campaign — targeting thousands of individuals across 21 countries — is operating out of a Lebanese intelligence agency building, according to a joint report published Thursday by digital rights organization Electronic Frontier Foundation (EFF) and mobile security firm Lookout.
The campaign, dubbed Dark Caracal after a nocturnal and highly secretive wild cat native to the Middle East, has been operating since at least January 2012. Its victims live in Lebanon and in other Arab countries, such as Qatar and Saudi Arabia, but also in the United States, Russia, Germany, and Nepal. Hundreds of gigabytes of data, including legal documents, browsing history, audio recordings, chat logs, and photos have been stolen from a broad range of victims. For security reasons, the researchers do not identify specific targets; they do, however, report that some of the breached data is associated with military personnel, government officials, activists, journalists, academics, and lawyers.
The research reveals that multiple platforms and systems were compromised in six simultaneously run global campaigns, which they traced to one of the General Directorate of General Security (GDGS) buildings in Beirut. At the time of the report’s publication, the servers discovered by the researchers were still operational, lead author Eva Galperin confirmed to SMEX.
During a Higher Defense Council meeting held yesterday, Interior Minister Nohad el-Machnouk did not deny the report’s allegations, but stated the claims were “wholly exaggerated.” The head of GDGS, Maj. Gen. Abbas Ibrahim, echoed the minister by boasting during the same meeting that “we are strong, but we are not that strong.”
“Typical Attacks” on an Unprecedented Global Infrastructure
Lookout has referred to the mobile espionage campaign as one of the “most prolific” ever publicly documented, owing to the campaign’s global reach and prioritization of mobile devices — with Android devices acting as Dark Caracal’s primary vehicle for attack.
At the same time, the tools, tactics, and techniques observed by the researchers indicate that the campaign requires a low level of technical sophistication, relying mainly on social media and spear-phishing attacks. In such attacks, victims receive a malicious message from a fake social media profile or messaging app instructing them to click on a link that requests login information, which when entered, compromises their device or account.
A number of the Android apps acting as decoys replicate secure applications popular with both the privacy-minded political activist and the security-oriented government official.
In this case, users received phishing messages on WhatsApp and through Facebook groups. After receiving a WhatsApp message, the mobile user is directed to download fake Android apps that infect their device with malware. Through Facebook groups, internet users are led to a phishing server via fake Facebook, Twitter, and Google login pages that let the campaign operators steal the victim’s credentials and hijack their account.
A number of the Android apps acting as decoys replicate secure applications popular with both the privacy-minded political activist and the security-oriented government official. They include secure messaging app Signal and circumvention tools Orbot (a Tor proxy) and Psiphon. According to Cooper Quintin, a staff technologist at EFF, “all Dark Caracal needed was application permissions that users themselves granted when they downloaded the apps, not realizing that they contained malware.” The malware is able to extract files from compromised devices, but can also upload files onto the mobile and intercept future text messages.
The cyber-spying campaign also targeted desktop operating systems, which similarly relied on spear-phishing. Links directed victims to download a semi-functional version of a drawing application, a fake but functional version of Psiphon, and Microsoft Word documents. Researchers identified two types of malware associated with these applications and documents: the Bandook RAT and CrossRAT. Bandook malware, discovered by researchers during a previous operation, infects Windows, whereas CrossRAT, a newly discovered desktop surveillance tool, can infect Linux, Windows, and OS X operating systems.
Although seemingly less prevalent, physical access to a device was another manner in which Android malware was installed. It is yet unclear how the harvested data was used and whether it has been sold on the dark web.
Security researchers were able to detect Dark Caracal after uncovering an espionage campaign, dubbed Operation Manul, carried out by the government of Kazakhstan against journalists and dissidents in 2016. The Lebanon-based campaign was identified because it shares a digital infrastructure with the Kazakh campaign.
The researchers believe that Dark Caracal exposes only a “small fraction of the cyber-espionage that has been conducted using this infrastructure,” suggesting that thousands of other victims have likely fallen prey to the malicious tools and tactics, which can be deployed globally easily and relatively cheaply.
“Deep Insight” Into Victims’ Lives
In some cases, the multi-platform operation would start on desktops and continue on Android devices, allowing the hackers to harvest sensitive and detailed information from their victims. Stolen data found by the researchers was simply left exposed on the open internet. The researchers intercepted WhatsApp, Skype, and Telegram databases, bookmarks, personal messages, regularly captured desktop screenshots, and much The spying is so intrusive and can be so regular that researchers noted how “disturbingly simple” it is to monitor a targeted individual and capture a full image of how they spend their days.
The impact is not limited to the direct victim of spying, however; it also implicates and jeopardizes anyone they communicate with through a compromised Android device. Almost half a million SMS messages, 150,000 call records, and close to 265,000 files were exfiltrated by the hackers. Devices were infected with a custom Android surveillanceware implant. The implant, dubbed Pallas by Lookout, has the ability to send text messages to any other mobile designated by the attackers with the intent of further spreading the malware.
The spying is so intrusive and can be so regular that researchers noted how “disturbingly simple” it is to monitor a targeted individual and capture a full image of how they spend their days.
Even more troubling is the hackers’ ability to breach in-person conversations and private moments, spying on not only their intended target but also their social entourage. Pallas operators can activate the front and back cameras and the microphone of a device to take pictures and record audio with no risk of detection.
Blatant Violation of the Right to Privacy
Lebanon’s Eavesdropping Law 140/1999 guarantees the right to secrecy of communications and protects against unwarranted forms of surveillance or interception, except in some cases as prescribed by law. Despite the lack of specific regulations for online activities, the right to privacy over the internet is protected and breaking the confidentiality of communications, including electronic communications, requires a judicial warrant or administrative authorization.
Lebanon, as a party to both the Universal Declaration of Human Rights and the International Covenant on Civil and Political Rights, is prohibited under international law from arbitrarily and unlawfully breaching its citizens’ privacy rights. Bassam Khawaja, a researcher at Human Rights Watch, told SMEX that “any law allowing secret surveillance must be sufficiently clear in its terms to give citizens an adequate indication as to the circumstances in which the monitoring may take place.”
Under international human rights law, a government can only use its surveillance powers after establishing limits on the scope, nature, and duration of an operation. Lebanese law also sets limitations to spying and surveillance, limiting, for instance, access to telecommunications data to two months at a time. In practice, however, all internet log files and telecommunications data are collected and stored by the state-run internet service provider and telecom operators for up to two years or more.
Independent Inquiry Needed
SMEX’s recent reports on the landscape of digital surveillance and data protection in Lebanon document the lack of judicial authorization and oversight mechanisms for surveillance, the recurring use of the counter-terrorism narrative to avoid accountability, and the absence of a strong legal framework to protect personal data. Together, these factors allow internal security agencies to expand their powers and the government to build a mass surveillance state.
The discovery of Dark Caracal underscores the need to address growing threats to our right to privacy and other associated rights, including freedom of speech, press freedoms, and freedom of assembly. It is incumbent on the Lebanese authorities, namely Lebanon’s general prosecutor, to conduct an independent, impartial, and transparent investigation into the cyber-espionage campaign and publicly share their findings.