The General Directorate of General Security, a Lebanese intelligence agency, has been tied to a mobile hacking operation discovered by researchers with cybersecurity firm Lookout Mobile Security and digital rights group Electronic Frontier Foundation (EFF).
Lookout and EFF are calling the hacking campaign “Dark Caracal,” in reference to a wild cat native to Africa and the Middle East. The organizations discovered that hackers are using malicious smartphone applications and websites to steal passwords and eavesdrop on conversations. The discoveries were revealed Thursday in a 49-page report.
The Dark Caracal hackers reportedly used several different email phishing strategies to lace familiar applications and websites, like Twitter, Facebook and WhatsApp, with malware. They also used fake login pages to acquire personal information. Some victims could have even been hacked by clicking on booby- trapped messages and lures that led them to fake social media profiles of young Lebanese women, according to Lookout.
Michael Flossman, security research services lead at Lookout, said that victims who had devices infected by the Android malware, granted hackers access to remotely everything on their device.
The hackers reportedly captured at least 486 thousand text messages from victims in over 21 different countries, including the U.S.. EFF and Lookout came across the cyber-espionage campaign during a separate investigation focused on Kazakh journalists and lawyers. Because of the group’s apparent prior success, it was hard for Flossman to believe the skilled group of spies could slip up accidentally.
EFF Director of Cybersecurity Eva Galperin told the Associated Press that the discovery was remarkable since they were able to acquire so many clues about the spies. The hackers incidentally left digital artifacts in their attacks, which could ultimately be traced back to their exact location.
“We definitely considered throughout the investigation that this was a honeypot, but we came to the conclusion that this this was actually poor operational security, not intentional,” Flossman said.
Researchers with Lookout say the Lebanese hackers were traced back to an active WiFi network neighboring a building that houses the Lebanese security agency. The WiFi network was still active when an Associated Press journalist went near the location to test and confirm the theory.
Although researchers were unable to identify the true identities of the hackers, they discovered three aliases associated with email addresses that were instrumental to the attacker’s server infrastructure.
Even though the General Directorate of General Security declined to comment, the authorities have been notified. Lookout and EFF said they will continue to search for further evidence of Dark Caracal.