A worldwide hacking campaign linked to a Lebanese intelligence agency has been revealed in an investigation by digital rights group the Electronic Frontier Foundation and mobile security firm Lookout.
According to the report, the group, dubbed Dark Caracal, has been working out of a building in Beirut owned by the Lebanese General Directorate of General Security (GDGS) for the last six years. The hackers used fake versions of messaging apps like Signal and WhatsApp to steal messages and data, including two-factor authentication codes. The group also used custom malware to activate devices’ cameras and microphones to record or photograph victims.
Targets included military personnel, journalists, activists, financial institutions and manufacturing companies based in over 20 countries, with documents, call records, texts, contact information and photos among the stolen data that was discovered.
“People in the US, Canada, Germany, Lebanon, and France have been hit by Dark Caracal,” EFF director of Cybersecurity Eva Galperin said in a statement. “This is a very large, global campaign, focused on mobile devices. Mobile is the future of spying, because phones are full of so much data about a person’s day-to-day life.”
The report reveals that Dark Caracal has been running several campaigns in parallel and that it shares its backend structure with state-sponsored surveillance campaign Operation Manul, which the EFF says was used to target journalists, lawyers, and dissidents of the Kazakhstan government last year.
“This is definitely one group using the same infrastructure,” Eva Galperin, the EFF’s director of cybersecurity, told The Register on Wednesday. “We think there’s a third party selling this to governments.”
“One of the interesting things about this ongoing attack is that it doesn’t require a sophisticated or expensive exploit,” EFF Staff Technologist Cooper Quintin said in a statement. “Instead, all Dark Caracal needed was application permissions that users themselves granted when they downloaded the apps, not realizing that they contained malware.”
The group also used other malware variants that could target Windows, Linux, and OSX systems, including a previously unknown, multiplatform tool that Lookout and EFF have named CrossRAT.
The stolen data, which included nearly half-a-million intercepted text messages, had been left online on an unprotected server. “It’s almost like thieves robbed the bank and forgot to lock the door where they stashed the money,” said Mike Murray, Lookout’s head of intelligence told AP.
The data was linked to a WiFi network active at the location of Lebanon’s GDGS. “Based on the available evidence, it is likely that the GDGS is associated with or directly supporting the actors behind Dark Caracal,” stated the report.