The discovery of an aggressive cyber espionage campaign run out of Lebanon shows that even small nations are entering the hacking-for-secrets game and tallying victories, sometimes with shoddy but effective techniques.
The 6-year-old campaign that was still unfolding as of last week breached computers and mobile devices in 21 countries, including the United States, researchers attending a cybersecurity conference in Washington said.
Hackers working through a network at the intelligence branch headquarters in Lebanon were able to extract text messages, audio recordings, contact lists, and even snap pictures of targets, the researchers said. They did not identify victims of the campaign, wanting to protect their privacy, but said corporations and individuals were hit, and more than 486,000 text messages extracted.
Victims included people in China, Russia and India, as well as an unknown number in the United States. Password pins and two-factor identification codes were taken — but not credit card data.
Forensic experts pulling the veil on the spying campaign included researchers at Lookout, a San Francisco-based mobile security firm, and from the Electronic Frontier Foundation, a digital privacy group also based in the Bay area. They spoke during and after a session at Shmoocon, a cybersecurity and hacker conference in Washington that ended Sunday.
Discovery of such an aggressive cyber espionage effort seemingly run by operatives in a smaller country – Lebanon’s population is 6 million people — underscores how much more level the global playing field has become for cyber espionage.
“You don’t have to get fancy,” said Eva Galperin, director of cybersecurity at the Electronic Frontier Foundation. “What we’ve seen is the cost of cyber espionage capability getting lower and lower and lower every year and requiring less expertise every year.”
The researchers said they were unwilling to attribute the cyber espionage campaign directly to the General Directorate of General Security, the intelligence arm of the Lebanese government, which is known as the GDGS.
“I’m not going to tell you it is the GDGS. I’m just going to tell you the call is coming from inside the house,” Galperin said, referring to the network registered to the intelligence agency.
Researchers said the campaign began as far back as January 2012, and used a custom-written surveillance implant that infects Android mobile phones, and separate malware, dubbed Bandook and CrossRAT, to infect computers.
The tactic involved operatives sending “phishing” messages in emails or placing posts on a Facebook group designed to lure the targets to browse a “watering hole,” a website containing malicious Android apps or desktop malware embedded with the surveillance software.
Once at the watering hole, so named because it draws life much as a waterway does in an African savannah, victims often thought they were downloading apps such as WhatsApp or Signal that would heighten their security rather than infect their devices, said Andrew Blaich, a security researcher at Lookout.
The researchers described tradecraft by the hackers as sloppy. The operators left hacked material in openly accessible folders on their servers, reused an email address (email@example.com) to register domain names, and registered real names to set up sites.
Once they’d infected the Android phones, the operatives could take photos with front or back cameras, extract text messages, get GPS data, activate the devices to capture audio, and retrieve photos, chat contents and decryption keys from messaging apps, said Michael Flossman, the lead on security research at Lookout.
The researchers said they extracted 81 gigabytes of hacked content from one of the servers used by the hackers. That was only a portion of the hacked data since some 12 servers were used, said Cooper Quintin, a security researcher at EFF.
The Lebanese Embassy in Washington did not respond to phone and email requests for comment. Lebanon’s intelligence chief, Maj. Gen. Abbas Ibrahim, told Reuters last week, just before Lookout posted a 49-page report on the spy campaign, that “General Security does not have these types of capabilities. We wish we had these capabilities.”
In past years, nations with advanced cyber espionage capabilities often would use exploits known as “zero days,” because they give victims zero time to defend themselves from devastating intrusions. Such exploits are hard to discover and are valuable.
“Zero days can cost $1 million or more,” said Quintin, referring to murky gray markets.
As off-the-shelf malware proves effective, “states often get away with the same things that criminals do, which is phishing. It turns out all of this works really well,” Quintin said.
The researchers said the malware tools used in the spying campaign, which they dubbed Dark Caracal for an elusive feline native to Lebanon, are the same tools used by Kazakhstan in a campaign against dissidents and others.
Operatives in the two countries were using the same servers and malware, Quintin said.
The researchers said either criminal networks or armaments vendors may be behind the two programs but that they continue to investigate.
Beirut has long been a hotbed of espionage in the Middle East, and the nation remains home to Hezbollah, an armed Islamic militia that is a proxy for Iran.
“Hezbollah and many other factions are all vying for power in Lebanon,” Quintin said. “And so we don’t know who in that GDGS building is doing this. We only know what building they are doing it from.”
The researchers said they found hacked data from targets in the Middle Eastern nations of Syria, Saudi Arabia, Qatar, and Jordan, as well as Asian, European and Western Hemisphere nations.
The Persian Gulf region, in particular, appears edging toward a “hot” cyber war. Other sophisticated malware has recently infected industrial safety systems, including those of the Saudi Arabia oil giant Aramco. The malware, dubbed Triton, was first publicized Dec. 14 by the FireEye cybersecurity firm.
A Framingham, Massachusetts, firm, CyberX, said in a statement Sunday evening that it had reverse engineered the malware and concluded it was aimed at “a petrochemical facility, most likely operated by Saudi Aramco.”
“We believe the purpose of the attack was to disable the safety system in order to lay the groundwork for a second cyberattack that would cause catastrophic damage to the facility itself, potentially causing large-scale environmental damage and loss of human life,” Phil Neray, vice president of industrial cybersecurity at CyberX, said in a statement sent to McClatchy.