A new and massive cyberespionage campaign, believed to be the work of Lebanese hackers linked to Lebanese General Security Directorate (GDGS) in Beirut, has been uncovered.
A new report by the Electronic Frontier Foundation and Lookout Security revealed that the cyberespionage group, dubbed Dark Caracal, has conducted numerous attacks against thousands of targets in over 21 countries in North America, Europe, the Middle East, and Asia.
The hacker group successfully targeted mobile devices of military personnel, medical professionals, journalists, lawyers, activists and more. It has stolen hundreds of gigabytes of data, including photos, text messages, call records, audio recordings, contact information and more.
The cyberespioange group stole this massive trove of information using its custom-developed mobile spyware called Pallas. The spyware, which Lookout discovered in 2017, is found in malware-laced Android apps — knock-offs of popular apps like WhatsApp, Telegram and others that users downloaded from third-party online stores.
"People in the US, Canada, Germany, Lebanon, and France have been hit by Dark Caracal," EFF director of Cybersecurity Eva Galperin said in a statement. "This is a very large, global campaign, focused on mobile devices. Mobile is the future of spying, because phones are full of so much data about a person's day-to-day life."
According to the report, Dark Caracal has been active in several different campaigns, running parallelly, with its backend infrastructure also having been used by other threat actors. For instance, Operation Manul, which according to the EFF targeted journalists, lawyers and dissidents of the Kazakhistan government, was launched using Dark Caracal's infrastructure.
According to Galperin, the Dark Caracal group may be offering its spyware services to various clients, including governments, The Register reported.
Dark Caracal hackers also make use of other malware variants such as the Windows malware called Bandook RAT. The group also uses a previously unknown multi-platform malware dubbed CrossRAT by Lookout and EFF, which is capable of targeting Windows, Linux and OSX systems. The report states that the APT group also borrows or purchases hacking tools from other hackers on the dark web.
"Dark Caracal is part of a trend we've seen mounting over the past year whereby traditional APT actors are moving toward using mobile as a primary target platform," said Mike Murray, VP of security intelligence at Lookout. "The Android threat we identified, as used by Dark Caracal, is one of the first globally active mobile APTs we have spoken publicly about."
"One of the interesting things about this ongoing attack is that it doesn't require a sophisticated or expensive exploit. Instead, all Dark Caracal needed was application permissions that users themselves granted when they downloaded the apps, not realising that they contained malware," said EFF staff technologist Cooper Quintin. "This research shows it's not difficult to create a strategy allowing people and governments to spy on targets around the world."
Click here to read the EFF and Lookout's 51-page report on the proliferate cyberespionage group.