Researchers link smartphone hacking group Dark Caracal to Lebanese government

Dark Caracal has been targetting smartphones worldwide since 2012

As the cyber landscape evolves and the barriers to entry come down, new actors have entered the scene - including, allegedly, Lebanon, which has apparently been able to turn thousands of Android phones into spying machines.

Researchers at mobile security firm Lookout worked with digital rights group the Electronic Frontier Foundation (EFF) on the investigation, which uncovered a group of hackers they christened Dark Caracal (‘a secretive cat native to Lebanon', according to Wikipedia, Lookout's justification being ‘We like cats'. Really. Read the report).

While Lookout has been tracking mobile security events worldwide since 2007, this is one of the most prolific it has seen to-date. The platform appears to be run from the offices of Lebanon's General Security Directorate (GSD) in Beirut.

Although Dark Caracal has targeted desktop, it prioritises mobile devices as the attack vector. It is one of the first advanced persistent threat (APT) actors to work with mobile at a global scale. Lookout is aware of ‘hundreds of gigabytes of exfiltrated data, in 21+ countries, across thousands of victims'.

Most of the victims are in the Middle East and Europe, although others have been tracked in North America, Asia and Africa.

Dark Caracal has mostly targeted ‘individuals and entities that a nation state might typically attack, including governments, military targets, utilities, financial institutions, manufacturing companies, and defense contractors'.

The attackers used malware, mostly installed through phishing techniques, to take control of Android smartphones and use them to monitor victims while also stealing data.

Lookout found Dark Caracal after the EFF released its Operation Manual (another cat) report, which highlighted a campaign targeting individuals who spoke out against Nursultan Nazarbayev, the President of Kazakhstan. They were able to link the group back to the GSD because Dark Caracal had failed to properly secure its own command and control servers.

"Looking at the servers, who had registered it when, in conjunction with being able to identify the stolen content of victims: That gave us a pretty good indication of how long they had been operating," Michael Flossman - Lookout's lead security researcher - told Reuters in an interview. However, they cannot say for certain whether their work definitively links the GSD to Caracal, or if it is the work of a rogue employee.

Major General Abbas Ibrahim, director general of the GSD, said ahead of its publication that he could not comment on the report without seeing its contents.