Lebanese Intelligence Backs Dark Caracal in Middle East Hacking: Proves Lookout

Report

The latest technical report issued by Lookout, a mobile security firm, and the Electronic Frontier
Foundation (EFF), states that the cyber espionage campaign - Dark Caracal - run by a set of
'unrecognized' hackers, is actually backed by the Lebanese intelligence agency.

Several intelligence recorded in the report point at the fact that Dark Caracal, which has
persistently been a prolific actor in cyber espionage campaign, was being administered out of a
building belonging to the Lebanese intelligence - General Directorate of General Security
(GDGS), in Beirut, Lebanon.

Top Facts Proving GDGS Backing Dark Caracal

1. Geo-Located IP / Network: In order to determine the proper functioning of the malware

implants, Dark Caracal used a set of testing devices. But post identification of the
devices, it was determined that the campaign's likely location was inside the premise of
the GDGS building. This was discovered by investigating the network connection used
by the test devices in the campaign which was, via geo-locating, found to be mapped near
the GDGS building in Beirut (WiFi - SSID BId3F6). Moreover, the logins received into
the administrative console of the C2 server (part of the campaign infrastructure) came
from three specific IP addresses all of which belonged to - Ogero Telecom - owned by
the Lebanese government. And geo-locating these too, pointed at the south of the same
GDGS's building clarifying Lebanese government's role in snooping on its neighboring
Middle East countries.

2. Interlinked Alias & Email ID: During the investigation, the team discovered four different
aliases, two phone numbers and two domains which were interlinked with the campaign's
infrastructure. The aliases - Nancy Razzouk, Hadi Mazeh and Rami Jabbour - were all
linked to one email address - 'op13@mail[.]com'. Furthermore, the physical addresses
listed in the WHOIS registration bunched around one common WiFi network - SSID
BId3F6 - located near the GDGS building. Most of the domains owned by these identities
were hosted through Shinjiru, an offshore provider of bulletproof hosting, as it can host
just about any content, accept payments in crypto currency and keep domains safe from
being taken down.

3. Use of FinFisher Sample: FinFisher spyware is ill famed for being sold specifically to
global governments and intelligence agencies for spying purposes. Use of the same
application in Dark Caracal cyber espionage campaign puts light on the fact that it is
indeed backed by the Lebanese government intelligence. The typical attack pattern used
by Dark Caracal follows client-side cyber spying. The two mobile tools used in the
process were a written implant for Android surveillance and an unrecognized FinFisher
sample. GDGS was one of the two government organizations to be flagged in 2015 by
 Citizen Lab for using FinFisher spyware, meaning that the intelligence agency was
actively using the government-only spyware program.

All these, and many more techniques used in building the hacking pattern of the campaign
infrastructure targeted primarily the medical practitioners, government officials, military and
civilians of the Middle Eastern nations. Qatar and Saudi Arabia already made it to the list of
Middle Eastern countries attacked by Dark Caracal leaving UAE automatically join the list. The
UAE government had issued a warning back in 2013 to its citizens regarding a virus attack
ongoing on smartphones, which was possibly the work of Dark Caracal owing to the similar
hacking pattern adapted - use of FinFisher, mobile attack strategy and functional since 2012.
Mobile spying/hacking being one of the most powerful attack methodologies of the spyware
campaign and use of malware applications like FinFisher, which are remotely controllable, adds
to the fact that UAE has already made it to the list of nations attacked by Lebanese government
through Dark Caracal campaign, even if not officially.