Researchers uncover Arabic-speaking international cyber mercenary group

A cyber espionage group is targeting thousands of high-profile organisations and individuals in the Middle East and around the globe

A cyber espionage group is targeting thousands of high-profile organisations and individuals in the Middle East and around the globe, according to researchers at security firm Kaspersky Lab.

The researchers consider this group – which they are calling the Desert Falcons – to be the first known Arabic-speaking group of cyber mercenaries to develop and run full-scale cyber-espionage operations.

The Desert Falcons are believed to be largely Arabic-speaking and to have started developing and building their operation in 2011. The researchers think the group's main campaign and infection began in 2013.

However, the peak of the group’s activity so far came in January 2015, with most targets in based in Egypt, Palestine, Israel and Jordan.

The researchers said the group has operated outside the Middle East countries it focused on initially, including the US, Sweden, Norway, France, Russia, Algeria and Turkey.

The group is believed to have attacked more than 3,000 victims in more than 50 countries and stolen more than one million files.

The attackers use proprietary malicious tools for attacks on Windows PCs and Android-based devices.


National infrastructure targets

Targets of the group include military and government organisations – particularly employees responsible for countering money laundering – as well as health and the economy.

Other targets include media companies, research and education institutions, energy and utilities firms, activists and political leaders, physical security companies and organisations with geopolitical data.

The main method used by the Desert Falcons to deliver the malicious payload is spear phishing via emails, social networking posts and chat messages.

Phishing messages contained malicious files or a link to malicious files masquerading as legitimate documents or applications.

The group has also used several other techniques to entice victims into running the malicious files.One such is the right-to-left extension override trick, which exploits a special character in Unicode to reverse the order of characters in a file name, hiding the dangerous file extension in the middle of the file name and placing a harmless-looking fake file extension near the end of the file name.

Using this technique, a malicious executable file looks like a harmless document or pdf file; even careful users with good technical knowledge could be tricked into running these files. For example, a file ending with .fdp.scr (an executable file) would appear .rcs.pdf.

Backdoors in constant development

After infecting a victim, the Desert Falcons group commonly uses one of two backdoors: The main Desert Falcons’ Trojan or the DHS Backdoor, to bypass security and access computer files.

Both backdoors appear to have been developed from scratch and are in continuous development, said the Kaspersky Lab researchers. They identified more than 100 malware samples used in attacks.

The malicious tools have full backdoor functionality, including the ability to take screenshots, log keystrokes, upload/download files, collect information about all Word and Excel files on a victim’s hard disk or connected USB devices, steal passwords stored in the system registry and make audio recordings.

Kaspersky Lab researchers found traces of activity of a malware which appears to be an Android backdoor capable of stealing mobile calls and SMS logs.


Hackers 'determined and active'

The researchers estimate that at least 30 people, in three teams, spread across different countries, are operating the Desert Falcons malware campaigns.

“The individuals behind this threat actor are highly determined, active and with good technical, political and cultural insight,” said Dmitry Bestuzhev, security expert at Kaspersky Lab’s Global Research and Analysis Team.

“Using only phishing emails, social engineering and homemade tools and backdoors, the Desert Falcons were able to infect hundreds of sensitive and important victims in the Middle East region through their computer systems or mobile devices, and exfiltrate sensitive data,” he said.

NSA fingerprints on hard drives

Phishing was a key element in the theft of up to $1bn from financial institutions worldwide, conducted by the Carbanak gang, that Kaspersky Lab researchers reported on earlier this week.

The Kaspersky Lab researchers expect this operation to carry on developing more Trojans and using more advanced techniques.

“With enough funding, they might be able to acquire or develop exploits that would increase the efficiency of their attacks,” said Bestuzhev.

Earlier this week, Kaspersky Lab researchers reported on a Western espionage operation using Stuxnet-like spyware that was discovered on PCs in 30 countries.

Researchers linked the spyware to a nearly 20-year operation by "The Equation Group", that hid the spyware on drives from the world’s core hard drive suppliers.

Former operatives of the US National Security Agency claim concealing spyware in hard drives is a prized technique developed by the NSA.

Read more on Privacy and data protection