In the spring of 2017, researchers at the San Francisco-based mobile security firm Lookout were toiling over heaps of data, investigating a campaign of phishing and malware conducted on behalf of the Kazakh government against journalists, lawyers and political dissidents. Some of the victims alleged they had been tracked using GPS devices and had their homes broken into. A few of them said the intimidation went as far as attempted kidnapping.
What researchers were not expecting, however, was to stumble upon a twin operation originating from Lebanon, which would turn out to be one of the most prolific hacking campaigns ever documented.
Hundreds of intercepted gigabytes, containing personally identifiable data targeting thousands of victims in over 21 countries, had been collected and left exposed on the open internet in what they dubbed the “Dark Caracal” campaign.
Devices for testing and operating the campaign were traced back to a sand-colored, heavily manned building on Beirut’s Sami al-Solh Street.
On Jan. 18, Lookout and a second security firm, the Electronic Frontier Foundation, released a report linking Dark Caracal to Lebanon’s General Security.
From the international perspective, these findings mean Lebanon is now on the map as a state-actor capable of international cyberespionage. From the Lebanese perspective, however, they open up at least two thorny sets of questions.
On one hand, offensive campaigns aimed at the mass collection of personal data call for a public debate on the scope and legal mandate for these operations, as well as the accountability of the parties involved. On the other hand, the failure to safeguard the trove of collected information – coupled with separate accounts of hacking attacks that breached the emails of Lebanon’s top politicians as elections draw closer – raise questions on how Lebanon is protecting itself from external threats.
Prior to the release of the report, little information was available to the Lebanese public on the operations conducted by the Lebanese intelligence agencies. Fragmented accounts of spyware purchases and separate campaigns, however, help paint a picture of how Lebanon came to be involved in cyberespionage.
The political use of cyber tools is likely not only to constitute a threat to personal freedoms but also to increase the risks of conflict in the region.
While this arena constitutes a very new battlefield, it is one where Lebanon has already come under fire multiple times.
CRACKING THE CODE TO HACKING
Prior to the release of the Dark Caracal report, few observers would have bet that Lebanese agencies had the ability to engage in international cyberespionage.
As it turns out, they were mistaken. As Mike Murray, vice president of security intelligence at Lookout, put it, “it doesn’t take a billion dollars to [launch] a campaign like this,” but Dark Caracal’s geographical reach, the amount of data collected and the unprecedented level of access researchers gained into the trove of stolen information has made the campaign a remarkable discovery.
“We checked our work a lot because the activity was so surprising,” Murray told The Daily Star. “I don’t think anyone I talked to before this report believed Lebanon had these capabilities.”
In an interview with LBC following the release of the Dark Caracal report, General Security director Maj. Gen. Abbas Ibrahim said: “I do not want to directly comment on the subject of the report … and I do not want to reveal our capabilities to our enemies because any information in this context may harm us, but I confirm that we possess all the means to protect the country.”
This represents a backtracking from the comments made to Reuters ahead of the release. “General Security does not have these type of capabilities. We wish we had these capabilities,” the news agency reported Ibrahim saying in response to the then soon-to-be-published report.
According to researchers, the mechanism used in Dark Caracal was simple. A custom-developed mobile surveillanceware – dubbed Pallas – was used to send phishing links leading to fake versions of popular services like Google and WhatsApp. The links were posted on Facebook groups, or sent from the private accounts of fictitious attractive Arab women.
Once in the system, the targeted device would begin spying on its user, sending chat transcripts, pictures and other personal information back to the spymasters. Cameras and microphones could also be remotely activated to capture and send back real-time images and audio.
Researchers found six folders on the server the information was uploaded to, which they identified as each constituting a separate operation within the same campaign.
Murray explained that, as the barrier to entry for cyberespionage continues to decrease, more nation-states are able to conduct pervasive multiplatform cyberespionage campaigns with a relatively low budget and skillset.
“I think what this activity shows is that there is no nation state actor who can’t – with a very small investment – acquire globally relevant cyberespionage capability,” he said.
General Security appears to have “been thinking about [tools] for a long time and working on acquiring them. It looks like they were experimenting [between 2013 and 2015] and then really picked up the capabilities in the last 12 to 18 months,” Murray said.
The first evidence of a surveillance operation conducted by the intelligence agency dated back to 2012. Lookout and EFF found this first mobile surveillance campaign –considered to be the stepping stone to the Dark Caracal campaign – to have “clearly identified victims that were active in political discourse.”
A separate report released in 2015 by the Canada-based firm Citizen Lab, found that the Internal Security Forces – as well as General Security – had been purchasing a sophisticated German-made computer spyware named FinFisher, which is sold exclusively to governments around the world to take control of targeted computers and even capture encrypted data and communications. The German company Lench IT Solutions has attracted the criticism of human rights organizations for selling this tool to nondemocratic states that use it to crack down on political dissent.
In the report, Citizen Lab said the ISF reportedly had a “troubled record of human rights abuses.” Additionally, it mentioned that the intelligence agency filed a request in 2012 to obtain access to all SMS text messages sent over a two-month span by all users in Lebanon, followed by a second request to obtain the Lebanese users’ login credentials for BlackBerry Messenger and Facebook. The Ministry of Telecommunications refused to comply with this demand.
Emails made public by WikiLeaks in 2015 also revealed the purchase of a $1 million remote control system on the part of the Lebanese Army. The Galileo system, sold by the Italian company Hacking Team, is also known to defeat encryption and was purchased by Saudi Arabia, Egypt, the UAE and Morocco, among others.
Additional emails released by WikiLeaks also detailed negotiations between Hacking Team and the ISF in 2015.
A spokesperson from the ISF told The Daily Star that the agency did not have any knowledge of Dark Caracal and said that it was not conducting operations of cyberespionage.
While cybersecurity companies have linked Lebanon to the acquisition of spyware from established European companies, the infrastructure observed in Dark Caracal took researchers by surprise.
The campaign used an infrastructure – meaning a server and malware – identical to the one conducted by the Kazakh government and documented in 2016 by EFF as “Operation Manul.” It is while monitoring this campaign that researchers stumbled upon Dark Caracal.
“For a while, we thought it was the same group. But then we thought, ‘why is Kazakhstan spying [extensively] on Lebanon?’” Cooper Quintin, security researcher and technologist at EFF, told The Daily Star. Soon enough, however, EFF and Lookout came up with a more likely explanation.
“We [realized we] had two different governments using the same malware and the same servers to store the data. This is something that, as far as I know, is unprecedented,” Quintin said.
EFF does not believe Kazakhstan provided Lebanon with the infrastructure or vice versa. “What we think is that there is a third party that is selling or renting access to this server and malware to nation states,” he said.
While Quintin did not want to speculate on who may be behind this – EFF is still looking into it – he predicted more governments would follow suit in acquiring the same infrastructure, consolidating a trend that sees nation states moving away from the costly spyware sold by European companies and toward inexpensive tools provided by shady interlocutors.
GETTING AWAY WITH CYBERESPIONAGE
The growth of the cyber environment has given nation states with no prior espionage capabilities the opportunity to spy on targets of interest. This opportunity, Lookout’s Murray said, has turned many into “thieves.”
The flipside of engaging in such activities, however, is that having good offensive skills does not necessarily mean having a good defense. “It’s easy to try and rob a bank, the hard part is getting away with it,” Murray said.
Part of the problem, he explained, is that defensive operations require a different skillset, as well as a heftier financial investment.
While light has yet to be shed on whether the responsibility for leaving the collected information unprotected lies with General Security or on the unknown actor providing the infrastructure, this, as well as separately documented security breaches, raises questions about Lebanon’s ability to protect itself from attacks.
In November 2017, for instance, while all eyes were on Saudi Arabia and Prime Minister Saad Hariri’s shock resignation, one major security breach flew under the radar.
The French newspaper Le Figaro claimed that “a strategic attack” conducted by the OilRig group – a nonstate actor affiliated to the Iranian government – had managed to penetrate into the emails of top Lebanese politicians including Hariri and President Michel Aoun.
The Western sources that tipped off the newspaper argued Iran was intending to collect information that could sway the vote in the Lebanese May 2018 national elections in favor of Hezbollah, its Lebanese ally.
A media adviser to Aoun confirmed that the attack took place, but denied it had been successful in breaching the email of the president. “Someone tried to hack the email but did not succeed because of the security precautions we have put in place,” the source told The Daily Star. A source close to the prime minister denied that there had been any such hack on Hariri’s emails.
Anonymous security sources quoted by Le Figaro, however, have claimed the group had been able to access the emails. “It has been six months that the Iranian hackers linked to the OilRig operation have targeted the Lebanese servers,” they said. “They have had access to the email accounts of Saad Hariri and President Michel Aoun.”
Collin Anderson, a Washington-based cybersecurity researcher focusing on Iran, told The Daily Star that, while establishing the motives behind the attack was difficult, Iran’s interest in Lebanon was undeniable.
“It is very clear that Iran has been substantially interested in Lebanese targets for at least seven or eight years,” he said.
“Given that there isn’t a huge amount of sophistication being expressed by the Lebanese state in terms of securing the infrastructure, it [should not be] too challenging to get access to those systems.”
The attacks were likely to have been motivated by the pursuit of political and strategic leverage in the region, the researcher argued.
“It’s not just that [the Iranians] have a history of it, the capacity of it, they [also] have a very strong and topical interest in doing it right now,” he said.
Tim Maurer, co-director of the Cyber Policy Initiative at Carnegie, said the motives behind the OilRig attack may include gathering intelligence and storing information for publication at a specific point in time.
Maurer, who authored a book on the impact and risks of cyber proxies on global politics, urged the Lebanese government to improve its security infrastructure but also argued that threats to democratic elections have always existed. “In many countries, you can already influence elections in other ways, with dirty money [and other tools.] So in a sense, cyber operations are just another instrument,” Maurer told The Daily Star.
Iran, however, is only one of a number of actors likely to be spying on Lebanon. Israel, a leader in the cybersecurity sector, also has an interest in hacking into the Lebanese systems, accompanied by the U.S., Russia and Western intelligence agencies who keep an eye on geopolitics as well as money laundering, the researcher explained.
“Lebanon is heavily targeted for the diversity of reasons [that] people like to meddle in Lebanese affairs,” Maurer said.
Nonstate proxies have also emerged as players in the game. In 2015, the Israel-based company Check Point Software Technologies documented a campaign dubbed “Volatile Cedar,” which begun in Lebanon in 2012 and targeted a handful of carefully selected public web servers.
The activity, which appeared to have been suspended following the publication of the report, was not directly attributed to a specific group by Check Point. However, other cybersecurity researchers have identified the markings of Hezbollah.
Though there has been little evidence of the direct sharing of tools between Iran and Hezbollah over the years, a Carnegie report co-authored by Collin Anderson found that the Shiite group had initially leveraged malware used by an Iran-sponsored hacking group, Magic Kitten.
Throughout the years, however, Hezbollah’s cyber capabilities are thought to have grown to surpass those of Iran itself.
“What is interesting about the Check Point report is that [it documented] an operation of malware that is more sophisticated than the Iranians,” Anderson said.
But, the researcher added, “[these capabilities] still pale in comparison to Israel.”
CIVIL SOCIETIES, CYBER THREATS
Dark Caracal reportedly breached the systems of governments, military targets, financial institutions, defense contractors, military personnel, activists, journalists, lawyers and educational institutions in over 21 countries.
Documented targets in the region include Saudi Arabia, Syria and Qatar, while non-Arab targets include the United States and Russia. Israel and Iran popped out as two notable absentees.
Lookout and EFF, however, believe they were able to access only 20 to 30 percent of the totality of the information stored on the server, meaning the campaign is likely to have had an even wider reach.
“If Israel was a target, it could be that we didn’t have access to the data and didn’t see it. That doesn’t mean it didn’t happen but we have no evidence that it did,” Lookout’s Murray said.
Lebanese legislation guarantees the protection of all forms of private communication; such communication cannot be tapped except in emergency cases prescribed by the law and with an administrative order.
EFF’s Cooper Quintin said it is not uncommon for governments to use terrorism to justify conducting cyberespionage operations that do not appear to exclusively target terrorism suspects.
“[In Dark Caracal] we saw a pretty wide swath in terms of people who were targeted,” he said. “I think probably there were specific targets but enough random people got caught in the campaign, which makes it really hard to determine what the intent of the campaign was.”
Quintin explained that posting phishing links leading to malicious versions of popular apps on Facebook groups meant that any random user accessing the link and downloading the app would have become a target. Therefore, the campaign could not have been targeting only specific individuals, he concluded.
“I don’t doubt that they may eventually catch terrorists,” he said. “But in the process, they are also spying on a lot of other people.”
The Lebanese media advocacy group SMEX released a study on Jan. 24 highlighting how private information was also left unprotected due to loopholes in the Lebanese legislation.
“We have all this data, [including] biometric data, and yet we do not have a clear strategy on how to protect Lebanon’s [networks],” Mohamad Najem, SMEX co-director, told The Daily Star.
“If Lebanon wants to jump into this game [of espionage], it first needs to make sure that its infrastructure is protected, because they are jeopardizing all of our data.”
Najem argued the need to charter clear rules on what constitutes targeted surveillance and what constitutes mass surveillance, as well as when surveillance can be carried out for security purposes.
Alongside posing a potential threat to individual privacy rights, new technologies are also expected to become a powerful accelerator of political confrontation.
Cyberattacks targeting sensitive systems are already frequent in Lebanon. In 2012, the Moscow-based cybersecurity firm Kaspersky Lab released a report on a virus named Gauss, which had infected approximately 2,500 computers of financial institutions in the Middle East. The largest number of computers affected, 1,660, were Lebanese.
Once the infection took hold, the virus was capable of seizing and transmitting information, including browser histories, cookies, profiles and system configurations.
“At the beginning, most people thought that these were financial malware [aimed at stealing money], but then the technique … utilized showed that the attackers weren’t looking for financial gains but for intelligence gains. They were doing espionage activities,” Mohamad Amin Hasbini, senior security researcher at Kaspersky Lab, told The Daily Star.
Kaspersky Lab has since documented a number of other attacks against the Lebanese banking system. Hasbini said that Lebanon’s private-sector cybersecurity system appeared to be sound, but its financial institutions are nonetheless being targeted.
In a setting where a little over 60 banks manage nearly $120 billion in private deposits and where clients rely heavily on the institutions’ ability to grant them anonymity, attacks aimed at stealing information rather than money still run the risk of facing dire consequences.
“Loss of information has repercussions on the reputation. It’s like a chain, if you lose reputation it’s all connected to financial losses,” Hasbini said. Given the lack of transparency of the Lebanese financial system, it is difficult to estimate the extent of the financial losses caused by attacks like the Gauss virus.
Alongside banks, over the past decade companies and civil infrastructure in the region have also emerged as targets in cyberwarfare. In August 2017, malicious attacks targeting the systems of Saudi Aramco – the world’s biggest oil company – wiped out 35,000 computers in a matter of hours.
In 2010, Kaspersky Lab uncovered a malware dubbed Stuxnet, thought to have been designed by Israeli and American experts. The malicious computer worm was used to penetrate Iranian uranium enrichment facilities, causing substantial damage to Iran’s nuclear program.
According to Collin Anderson, similar cyberattacks could become triggers of conventional conflict. In the case of Lebanon, for example, a future conflict between Hezbollah and Israel could be sparked by attacks on civilian infrastructure that are within the reach of both parties.
“You could see [minor incidents] being a catalyst – like lights going out in a hospital [in Israel]” Anderson said. Accidents or wrong attributions of responsibility could also spiral into a diplomatic crisis. An accidental power cut in Tel Aviv, Anderson exemplified, could be erroneously interpreted as an attack on Israel’s civil infrastructure. “I think this is the way conflicts could play out [in the future],” he added.
Summing up the state of affairs in an interview with Carnegie, Anderson concluded that countries in the Middle East “will continue to invest in offensive capabilities rather than focus on the hard work of defense.”
“Cyber capabilities have now become a necessity, so that if a state cannot defend against rivals, it nevertheless has to be able to do it back,” he said. “Cyberwarfare is the new normal in the Middle East.”
A version of this article appeared in the print edition of The Daily Star on February 06, 2018, on page 3.