Just a few days after revealing how Gaza hackers used porn videos and phishing e-mails to steal files off computers in Israeli government and corporate offices, Kaspersky Lab researchers released details about what they said was the first group of Arab “cyber mercenaries,” a group that runs highly professional cyberattacks using advanced hacking and malware techniques.
The group, which Kaspersky researchers call the “Desert Falcons,” distinguish themselves from the Gaza porn-hacker group and other lesser cybercriminals by the highly advanced methods they use to attack high-security sites and in the amount of damage they have caused.
According to the researchers, the group, which has been operating since 2011, but only recently got into the full swing of hacking, have stolen over a million files from some 3,000 victims in 50 countries.
Those include countries throughout the Middle East and Europe, but their main focus has been Israel, the Palestinian Authority and Egypt, targeting military and government organizations — particularly employees responsible for countering money laundering — as well as leading media outlets, research and education institutions, energy and utilities providers, activists and political leaders, physical security companies, and other targets in possession of important geopolitical information.
The researchers said they had identified several of the hackers, and while not revealing their identities, said they were mostly residents of the PA, Turkey, and Egypt. They have also been surprisingly open about their exploits, using Twitter and other social media to brag about their exploits. They all appear to be native Arabic speakers, Kaspersky Lab said.
The level of sophistication and the sites they were targeting, the researchers said, indicated that they were being sponsored by someone – maybe a criminal organization, or maybe even a government.
“The profiles of the targeted victims and the apparent political motives behind the attacks make it possible that Desert Falcons operations could be nation-state sponsored. At present, though, this cannot be confirmed,” the researchers said.
While the methods of entry into systems were similar to other major hacks — spear phishing via e-mails, social networking posts and chat messages that contained malware or links that when clicked dumped viruses on systems — the hackers took advantage of the right-to-left structure of Arabic and Hebrew to deliver files that would be very hard for anti-virus programs to catch.
“This method takes advantage of a special character in Unicode to reverse the order of characters in a file name, hiding the dangerous file extension in the middle of the file name and placing a harmless-looking fake file extension near the end of the file name,” said the researchers.
“Using this technique, malicious files (.exe, .scr) will look like a harmless document or pdf file; and even careful users with good technical knowledge could be tricked into running these files. For example, a file ending with .fdp.scr would appear .rcs.pdf,” which would get through a spam or virus detector parsing for suspicious files,” they said.
In addition, the hackers wrote their own original malware tools – unlike the vast majority of “script kiddie” hackers, who use off-the-shelf tools – again indicating a high level of sophistication. The malware was able to take screenshots, log keystrokes, upload/download files, collect information about all Word and Excel files on a victim’s hard disk or connected USB devices, steal passwords stored in the system registry and make audio recordings.
Kaspersky Lab experts were also able to find traces of activity of a malware, which appears to be an Android backdoor capable of stealing mobile calls and SMS logs. Using these tools, the researchers said, the Desert Falcons launched and managed at least three different malicious campaigns targeting a different set of victims in different countries.
Who they really are, and especially who they are working for, may never truly be known – it’s possible that the identity information culled by the researchers may be completely fake, after all. Regardless, the hackers are a formidable group and represent a major advance in cyber insecurity for Israel and other countries targeted, said Dmitry Bestuzhev, security expert at Kaspersky Lab’s Global Research and Analysis Team.
“The individuals behind this threat actor are highly determined, active and with good technical, political and cultural insight. Using only phishing e-mails, social engineering and homemade tools and backdoors, the Desert Falcons were able to infect hundreds of sensitive and important victims in the Middle East region through their computer systems or mobile devices, and exfiltrate sensitive data.
“We expect this operation to carry on developing more Trojans and using more advanced techniques,” Bestuzhev added. “With enough funding, they might be able to acquire or develop exploits that would increase the efficiency of their attacks.”