Who Is Selling Hacking Subscriptions to Governments?

BEIRUT—Just north of a perennially jammed arterial, sandwiched between the French embassy complex and a university administration building, a beige monolith with a vertical slash of reflective windows is set back from the road, guarded by a row of high barriers and men in fatigues with long guns. The building belongs to Lebanon’s General Directorate of General Security, one of the country’s several security agencies, which is in charge of national-security intelligence. According to a bombshell new report, this building is also the home base for a wide-ranging spying operation that spanned five years and more than 20 countries.

The report, published Thursday by the American security-research company Lookout and the Electronic Frontier Foundation, named the group behind the operation “Dark Caracal,” after an elusive wildcat native to the Middle East and Africa. The researchers connected the group to at least six surveillance campaigns that targeted government officials, academics, journalists, and businesses around the world, including in the Middle East, Europe, and the United States.

There’s a lot going on here, but perhaps what’s most unusual is that this isn’t the first time researchers have seen the tools Dark Caracal used for its spying operations. EFF and Lookout began tracking the group after EFF reported on a 2015 spying campaign in Kazakhstan that targeted dissidents and journalists. The digital infrastructure used to launch those attacks, they later found, was the same used for the surveillance campaigns they traced to Beirut.

The fact that two seemingly unrelated operations—Dark Caracal and the Kazakhstan campaign—shared technical characteristics hints at a bigger story. It might mean that an unknown third party is offering up infrastructure and malware to various nation-state customers for hacking campaigns. That would suggest that both the operations are part of a larger group of attacks that all use the same tools.

“We do not think it’s likely that Dark Caracal is managing this infrastructure,” said Cooper Quintin, an EFF security researcher and one of the report’s authors. “We think it’s far more likely that this infrastructure is being run by an unknown third party who is also selling their services to Kazakhstan and possibly other countries.”

Think of it as government surveillance as a paid service.

This week’s report only hinted at that third party, but Quintin said that researchers are already working on identifying it. “We have some ideas,” he said.

This is a marked departure from how nation-state surveillance usually works. Governments, especially those without a deep bench of homegrown hacking talent, often do buy surveillance tools from companies: Just look at the long list of governments that purchased espionage software from Hacking Team, an Italian company that was itself hacked in 2015. But what’s going on here seems to go a couple steps further. Instead of acquiring a hacking tool and using it for spying, Dark Caracal seems to have paid someone else to use theirs. “They subscribe to this, and then somebody sets up the whole thing for them,” Quintin said. “And they just have to log in and download reports about the people they’re spying on.”

In a way, this means digital espionage software is only just catching up to consumer trends. Like Google’s G Suite products, which are hosted on Google servers and customers pay to access, the report is describing a sort of cloud-based surveillance service. It’s just not clear where that cloud is.

The business model might be innovative, but the hacking methods the report revealed were relatively primitive. Dark Caracal didn’t use fancy code or expensive equipment: Much of its success came from plain old social engineering. They (or the group they paid to hack for them) used tricks like setting up fake Facebook accounts with photos of smiling Arab women to convince targets to download fake versions of messaging platforms like WhatsApp. These apps would then send entire chat transcripts back to their spymasters, plus various other revealing information like GPS location, contact lists, and SMS messages. The malware could even take photos with the infected phone’s front and back cameras, and secretly record audio from the device’s microphone.

The scale of the spying efforts emanating from the General Security building is surprising, said Mohamad Najem, the codirector of SMEX, a Lebanese digital-rights organization. So, too, is the list of countries where individuals were targeted, many of which are Lebanon’s allies. Najem questioned whether the operation was green-lit through the normal legal process, which requires judicial supervision and only allows targeted surveillance for a limited time period. “They’re doing anything they want, without any legal processes—and that’s very dangerous,” he said.

Requests for comment from General Security went unanswered. Before the report’s publication, Major General Abbas Ibrahim, the agency’s head, told Reuters, “General Security does not have these type of capabilities. We wish we had these capabilities.”

The Beirut-based operation was blown open when EFF and Lookout researchers found more than 80 gigabytes of stolen data—hundreds of thousands of text messages, call logs, contacts, and other goodies—on an unsecured, open server. Once the researchers located the server, it was just a matter of guessing various three-character folder names: wp7, wp8, wp9 ... “We were just web browsing,” Quintin said. “There was no hacking involved.”

The campaign’s focus on mobile devices set it apart from other mass-spying efforts: The researchers called it “one of the most prolific we have seen to date” when it came to stealing mobile data. What’s more, they think the treasure trove they found in plain sight only represents a small corner of the surveillance enabled by the same infrastructure that Dark Caracal used. “Other researchers have implied to us that there are other clients” besides Caracal and Kazakhstan, Quintin said, choosing his words carefully.

Jokes flew on Twitter after the report was first published, mocking Lebanese intelligence for its seeming incompetence. But it’s not clear who made the basic mistake that burned the hacking operation. It could have been the Dark Caracal group, Quintin said, but it could have also been shoddy work on the part of the mysterious hacking-tool vendor.

Sifting through the files they discovered on the server, the researchers found a handful of similarly configured devices that seemed to pop up over and over. They guessed that they were looking at the hackers’ test devices, and so they took a closer look at the Wi-Fi networks each had connected to. One Wi-Fi network they had in common was named “Bld3F6,” which the researchers geo-located to a spot right near the General Security building in Beirut. An AP reporter who walked by the building Wednesday found that network was still broadcasting, but when I went by the General Security headquarters Friday, the network was gone. It had been either hidden, renamed, or taken offline.