Skip to main content

Global spy malware traced back to Lebanese security

A recent report revealed that a malware campaign was mainly being operated by Lebanon's General Directorate of General Security, raising questions about the privacy of the country's citizens.

A recently found malware espionage campaign, called Dark Caracal, has affected thousands of people in 20 countries. The malware was discovered in January by two American cybersecurity organizations — Electronic Frontier Foundation (EFF) and Lookout. They tracked the source of the malware to a building belonging to the Lebanese national security agency, the General Directorate of General Security (GDGS).

At least since 2012, Dark Caracal has been actively transmitting private information, from call records and audio recordings to documents and photos, of military personnel, activists, journalists and lawyers living in the United States, Canada, Germany, France and Lebanon. This was made possible through trojanized apps, fake versions of applications, including Signal and WhatsApp. Trackers are able to take photos, retrieve location and information and capture audio. So far, no legal action or sanctions have been taken, and it remains unknown if the GDGS activities are still ongoing.

The joint investigation between EFF and Lookout started after EFF released a report called Operation Manul in August 2016. The report detailed a series of cyberattacks that targeted journalists and political activists critical of Kazakhstan’s authoritarian government, along with their family members, lawyers and associates living in the country and Europe.

“EFF’s research noted references to Android components that attackers used in tandem with the desktop malware,” Andrew Blaich, security researcher at Lookout, told Al-Monitor. “However, no samples had been discovered at the time of the report’s release. So Lookout went looking for the Android samples. Once we identified the samples, found the exfiltrated data, began to develop hypotheses around attribution and realized this story was much bigger than originally thought, Lookout reconnected with EFF to have them co-author the report with us.”

This investigation led the two organizations to a piece of Dark Caracal’s infrastructure, with at least 500 gigabytes of data left publicly accessible. With this insight, it led them to view the collected data and pin it to a physical location, a building belonging to the GDGS in Beirut near the National Museum. During the whole process, they made sure they were not violating any law such as hacking. “We have knowledge of hundreds of gigabytes of data exfiltrated from thousands of victims in more than 20 countries,” Blaich said.

He added, “Dark Caracal relies primarily on social engineering via Facebook and WhatsApp messages in order to compromise and target systems, devices and accounts, the goal of which is to eventually drive victims to a watering hole, a fake app store controlled by Dark Caracal. Applications trojanized with the Pallas malware family were found to be offered via the fake app store,, which Dark Caracal manages directly. There is also some indication that the GDGS has used physical access in the past to install their mobile components since it also controls border security.”

Blaich further said, “Dark Caracal is a persistent and prolific actor which we believe had and may still be operating out of a building belonging to the Lebanese GDGS.”

For Eva Galperin, EFF’s director of cybersecurity, “This is a very unusual case.” Galperin told Al-Monitor, “It potentially represents an entirely new model for nation-state hacking, where government actors rent infrastructure from third parties [tech companies]. This may be cheaper than buying software like FinFisher [a surveillance software that is installed on targets' computers by exploiting security lapses], which we know these actors [Lebanese authorities] have done, and it enables them to hide in the noise, because the same infrastructure is used on numerous campaigns for different clients.” The same technological infrastructure, or spying malware, can be used on different targets at the same time and, therefore, is less traceable.

Following the release of the Dark Caracal report Jan. 18, various rights organizations called for Lebanon to investigate this spying case. Human Rights Watch said in a Jan. 24 article that under international law, “Any government interference with privacy must be necessary to achieve a legitimate aim and must be carried out in accordance with both international and domestic law. Any law allowing secret surveillance must be ‘sufficiently clear in its terms to give citizens an adequate indication as to the circumstances.’”

In Lebanon, Law No. 140 of 1999 protects the confidentiality of private communications from eavesdropping, monitoring or disclosure, except in some cases. In these cases, the law also authorizes the interior minister and the defense minister to order the interception of specific communications based on a written decision approved by the prime minister. This can be possible in order to fight terrorism, crimes against state security and organized crime.

In reaction to the Dark Caracal report, Maj. Gen. Abbas Ibrahim, the director general of GDGS, told Reuters on Jan. 18 he wanted to see the report before commenting on its contents, adding, “General Security does not have these type of capabilities. We wish we had these capabilities.”

On Jan. 20, Interior Minister Nouhad Machnouk downplayed the scale of the affair while implicitly saying that Lebanese security agencies are involved in surveillance to “preserve national security.”

Contacted by Al-Monitor, the GDGS refused to comment on the matter, saying it can’t give out information on a security case related to its work. Bassam Khawaja, a Lebanon and Kuwait researcher at Human Rights Watch, told Al-Monitor, “Lebanon urgently needs better laws protecting privacy and personal information. … The prosecutor should investigate whether the reports of this operation are correct, bring criminal charges against any unlawful surveillance and authorities should end any ongoing arbitrary surveillance.”

“We need to question, under the eavesdropping section of Law No. 140/1999, the fact that 500 gigabytes of data was left on the web for years,” Lebanese digital rights organization SMEX co-founder Mohamad Najem told Al-Monitor.

“This [the data] was picked up by the researchers, but also might have been picked up by other surveillance states or groups. We need to know from the independent administrative committee [which] submits their report to the president about this specific point. The information collected by security agencies need to be secured and people’s private data protected. After these surveillance activities showed to the world that Lebanon is behind this data left alone, aren't we at a bigger risk in the case of a cyberwar? How much people’s data can be protected if other countries spy on us?” he added.

Galperin confirmed it was a targeted surveillance case, saying, “Each of these mobile devices was compromised through the installation of a backdoor version of a common app. The apps were often downloaded from a fake Android store, but sometimes they were installed via physical access.”

It remains unclear if the Lebanese state will take action to limit this surveillance or question its legality. So far it remains unknown whether the GDGS is continuing its surveillance activities. But without a proper law to protect the privacy of its citizens and a stricter surveillance law, the GDGS and other security agencies can keep on spying on citizens without any fear of being held accountable.

More from Florence Massena (Lebanon Pulse)

Recommended Articles