Darknet Diaries - Ep 38: Dark Caracal
Episode Date: May 14, 2019A journalist wrote articles critical of the Kazakhstan government. The government did not like this and attempted to silence her. But they may have done more than just silence her. Perhaps th...ey tried to spy on her too. The EFF investigated this case and went down a very interesting rabbit hole.Thanks to Cooper Q from EFF's new Threat Lab. Also big thanks to Eva from EFF, Andrew Blaich and Michael Flossman from Lookout.For another story about the EFF listen to episode 12 "Crypto Wars".This episode was sponsored by CMD. Securing Linux systems is hard, let CMD help you with that. Visit https://cmd.com/dark to get a free demo.
Transcript
Discussion (0)
One of my favorite adventurous activities I used to like doing when I was younger was exploring abandoned buildings.
I've been in abandoned schools, banks, industrial plants, churches, hotels, mines, tunnels, and office buildings.
It's pretty dangerous, but I liked it.
This one time I was exploring an old hospital with a friend, and as we were walking through it, we heard a noise in one of the rooms. We looked inside, and there was a cat sitting there, slowly waving its tail back and forth, staring at us.
And right in the middle of the room was an empty cat food bowl. The cat seemed to be living there,
and someone was feeding it. That was strange, but we kept walking down the long corridor of this abandoned hospital.
We heard a noise behind us.
I quickly turned around, and I swore I saw a door swing close way at the end of the hallway.
But it was so far away, and it was so quick that maybe I didn't see it.
A lot of the windows were broken in this building, and the wind was blowing,
so I just stood there in the middle of the hall and I stared down it,
frozen, looking to see if any of the doors would just swing open or close by themselves.
But nothing. No movement. No sound.
Did I see someone or was this my imagination?
This creeped us out, so we went back down the hallway to leave.
When we got to the room where that cat was, we looked in it. The cat food bowl was now filled, but the cat was nowhere to be found,
and a few other doors that were open are now closed. Without seeing anyone at all, we knew
for sure someone was in this abandoned building with us, and they probably saw us and were watching
us. We got out of there pretty quick after that and drove home.
Have you ever been in a situation like this, though,
where you're positive that something or someone was there watching you,
but you couldn't quite figure it out?
These are true stories from the dark side of the Internet.
I'm Jack Recider.
This is Darknet Diaries.
This episode is sponsored by Delete Me.
I know a bit too much about how scam callers work. They'll use anything they can find about you online to try to get at your money.
And our personal information is all over the place online.
Phone numbers, addresses, family members, where you work, what kind of car you drive.
It's endless.
And it's not a fair fight.
But I realized I don't need to be fighting this alone anymore.
Now I use the help of Delete.me.
Delete.me is a subscription service that finds and removes personal information from hundreds of data brokers' websites.
And continuously works to keep it off.
Data brokers hate them because Delete.me makes sure your personal profile is no longer theirs to sell.
I tried it and they immediately got busy scouring the internet for my name and gave me reports on what they found
and then they got busy deleting things. It was great to have someone on my team when it comes
to my privacy. Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for Darknet Diaries listeners. Today get 20% off your Delete.me plan
when you go to join delete.me.com slash darknetdiaries and use promo code darknet at checkout. The only way to
get 20% off is to go to joindeleteme.com slash darknetdiaries and enter code darknet at checkout.
That's joindeleteme.com slash darknetdiaries and use code darknet.
Support for this show comes from Black Hills Information Security.
This is a company that does penetration testing, incident response, and active monitoring to help keep businesses secure.
I know a few people who work over there, and I can vouch they do very good work.
If you want to improve the security of your organization, give them a call. I'm sure they can help. But the founder of the company, John Strand,
is a teacher and he's made it a mission to make Black Hills Information Security world-class
in security training. You can learn things like penetration testing, securing the cloud,
breaching the cloud, digital forensics, and so much more. But get this, the whole thing is pay
what you can.
Black Hills believes that great intro security classes do not need to be expensive,
and they are trying to break down barriers to get more people into the security field.
And if you decide to pay over $195, you get six months access to the MetaCTF Cyber Range,
which is great for practicing your skills and showing them off to potential employers.
Head on over to blackhillsinfosec.com to learn more about what services they offer
and find links to their webcasts to get some world-class training.
That's BlackHillsInfosec.com.
BlackHillsInfosec.com.
We have a big story here, and there's a lot to cover.
So let's just get right into it and meet our guest.
What's your name and what do you do?
One second.
It's not a hard question.
I got to think about which name I want to use.
No, no, I actually drink a water all of a sudden.
Okay.
So I'm Cooper Quinton.
I am a senior staff technologist on EFF's Threat Lab.
Threat Lab?
There's a Threat Lab at EFF?
Yeah.
So Electronic Frontier Foundation has a new project called Threat Lab.
And our mission is to research and help stop targeted threats against at-risk populations.
So this is like lawyers, human rights lawyers, activists, journalists around the world
that are being targeted with malware or other digital surveillance techniques.
So let's back up here for a minute.
The EFF is the Electronic Frontier Foundation.
It's a non-profit organization
and it has a goal of protecting our civil liberties online. We have them to thank for standing up for
us when our digital rights are being threatened. It's a great group of people full of lawyers and
activists and researchers and Cooper here is working with them in their threat lab. But the
threat lab is actually a brand new thing within the EFF. And there's an interesting story about how all that came to be.
And it all starts with Operation Manual?
Ah, yes.
Operation Mantle.
What's a Mantle?
It's named after the Mantle cat or palace cat, which is native to the steppes of Kazakhstan.
Okay.
So there's a cat on the steppes of Kazakhstan.
It's a really expressive, amazing cat.
And I highly recommend looking up pictures of the mantle.
Oh, this is great.
There's like exotic creatures and places in the story already.
I love it.
Go on.
Operation Mantle started when EFF was representing a woman named Irina Petrushova,
who is the editor-in-chief of an independent newspaper,
which is formerly out of Kazakhstan, called Respublika. Respublika had been Kazakhstan's
only source of independent journalism. Right. So here's the first person of our story,
Irina Petrushova. Not only is she a reporter for Respublika, but she's also the founder of this
independent news source in Kazakhstan. Now, specifically, she was writing stories and doing reporting on the corruption
that goes on within the government of Kazakhstan.
There were a series of financial scandals that she wrote about,
and the president often hires family and friends to fill certain roles,
even though there are people much more qualified and willing to fill those roles.
And you should know a little about the president of Kazakhstan.
This is the first president of Kazakhstan ever. He came to power in 1990, and he stayed there until he retired this year. Yeah, there were elections, but they didn't appear to be free or fair at all. And some even go so far as to the corruption of this authoritarian regime, somebody really didn't like this and wanted to do everything they could to keep Irina quiet.
Okay, so first they kill her dog and leave the head of the dog at the front door of the building where they published Respublica from.
Jeez. Respublica from. Then they leave a human skull
in front of her office building with a note
pinned to it saying
there will be no next time.
And then
they followed that up with fire
bombing her office.
The office burned to the ground and that's when she
finally left Kazakhstan.
She fled the country and moved
to Russia. She thought maybe country and moved to Russia.
She thought maybe the government of Kazakhstan was behind these personal threats.
But she didn't stick around to find out.
She was scared for her life.
But she continued to write for Respublika and publish articles about the government of Kazakhstan.
And one day, a big story showed up. This giant dump of emails appeared online on a website called Kazaword.
And these were emails leaked from Kazakhstan's government, from Kazakhstan's president.
When this giant dump of emails showed up on another website, Irina published stories about it.
The Kazakhstan government was very upset again with Irina and decided to try to silence
her. The government of Kazakhstan
sued Respublika
and Irina Petrushova in
the New York district court, claiming
that they were responsible for this
Khazawar dump of documents.
And tried to
get their
Respublika's reporting on this
dump of documents taken down from the...
The case gets underway in New York. Irina needed some help with this.
At this time, Irina contacted us for legal help, and we started representing her in court,
because this would obviously be a violation of the First Amendment.
Yeah, it is a violation. Journalists are allowed to publish documents that are factual in nature.
And this judge looked favorably on Irina and the EFF and said Respublica does not need to take down the articles about the leaked emails, which is a victory for Arena and EFF.
And perhaps historically, the EFF would have stopped there and that would have been the end of the case.
But the EFF has a new interest in malware that is associated to things like this now.
At that same time, she and her brother, who is also an editor,
started receiving spear phishing emails,
which were designed to look like they were coming from other activists in Kazakhstan
and human rights lawyers working with Kazakh people.
These spear phishing emails contained attachments that looked like Word docs or PDFs,
but which were in fact malware.
One of the things that EFF does is educate people on the dangers of being a journalist
that might be a target for hackers.
Yes, exactly.
So we had given her some security training.
And when she got these emails,
she thought they were a little bit suspicious.
So she sent them to us.
We started looking at them,
quickly figured out that the attachments were malware,
and then started taking apart the malware
to figure out what might be the source of this.
So this team from EFF started investigating these Word docs and PDF docs.
And they found that when you open these attachments,
it will go download a piece of malware called JRAT.
You embed an exploit in a PDF or a Word doc that the person opens,
and then that exploit goes and downloads and installs JRAP.
And then once JRAP is running, it can do a lot of different things. It can turn on your camera,
it can capture your screen, it can record audio ambiently in the room, it can go through your
files on your computer and create files or delete files or download files.
You can spawn a shell to remotely run commands on the computer and a bunch more stuff.
And the neat thing about JRAT is that it works on Windows, Linux, and Mac computers.
The RAT part of this JRAT malware stands for Remote Access Trojan, which means
when a user gets infected with J-RAT, the hacker can then remote control that computer, allowing
them to download stuff or interact with that computer. And at the time, you could buy this
piece of malware at jrat.io for about $40 in Bitcoin. So this wasn't a sophisticated or
expensive piece of malware at all. But a few
more emails came in with more attachments and a second piece of malware, which also was discovered
called Bandook. And specifically, Bandook was developed by a guy who goes by the name Prince
Ali. We'll learn more about Prince Ali later, but Bandook did a lot of the same things that J-Rat
did. Now, as Cooper and the team at EFF discovered this, they knew they were dealing with something more serious. The first reaction is like, wow, we really have something here, right?
This isn't just crimeware. This isn't somebody trying to, you know, steal her credit cards.
This is actually somebody trying to undertake digital espionage, right? This is somebody actually trying to spy on her.
See, there are a few types of hackers out there.
There's like the common crimeware hackers,
which usually are like a spring and prey kind of hacking.
They'll just scan the whole internet looking for vulnerabilities
or they'll send out thousands of phishing emails.
But then there are the targeted hackers.
And these people have a specific objective on a target.
And because these phishing emails were crafted just for Irina personally,
and the malware wasn't like a Bitcoin miner or ransomware or anything,
then this likely means somebody was actively trying to spy on her.
And it's scary and dangerous to be the target of a hacker like this.
We inform her and she informs her friends and her family and her staff.
And they start sending us more suspicious emails.
And we get a bunch.
And we get a bunch that all contain J-Rat or the other malware called Bandook.
Her brother started getting phishing emails, her family, other people at Respublica.
And she was getting more emails too.
This was getting more serious too. This was getting more
serious now. So we started looking into the malware and we find the command and control servers.
So these are the servers that the malware actually talks to. These are the servers that the malware
sends any files that it gets back to. Basically, these are the servers that let the person running the malware tell the malware what to do.
With malware like this, there's often an intermediary computer that files are staged on, uploaded to, and connections are made.
And that's what this command and control server is.
So when you open a PDF, your computer will then download the malware from that server.
And when you get infected, your computer will upload data to that server.
So you need this server in order for the malware to be successful.
And the team at EFF discovered eight different domain names used by this malware and two different command and control servers.
And each of them were hosted by companies notorious for hosting possibly illegal content and protecting its users.
So yeah, again, this doesn't seem like your typical crimeware.
We figured that at least the people who were going after Respublika and after Irina Petrushova were likely doing this on behalf of the government of Kazakhstan.
The government of Kazakhstan is clearly after her, right?
They're clearly very upset with her for posting negative things about the government.
But see, it's hard to tell for sure.
There just isn't any smoking gun.
And it's kind of like a puzzle where like most of the pieces are all together
and you can pretty much tell what the puzzle is going to look like, but you still need that final few pieces to really know for sure.
Okay, remember those emails that got leaked, which were the official Kazakhstan government emails?
One of them stood out to Cooper. the things we learned from the dump of emails is that the president of Kazakhstan had taken out a
contract with a private intelligence company called Arcanum Global Intelligence to perform
what they called a surveillance data extraction and full spectrum cyber operation mission to surveil Kazakhstan's only opposition politician,
whose name is Ablyazov.
His last name is Ablyazov.
I mean, we just got started.
We haven't even got to the good stuff yet.
And I'm already just blown away by the magnitude this whole thing is.
Oh, it's crazy.
This is the deepest rabbit hole I've ever been in.
Okay, so there's sort of a smoking gun that says Kazakhstan has historically hired independent hacking teams to spy on the enemy.
Well, the interesting thing and sort of the thesis that I want to get at is that it's not that Kazakhstan has any cyber skill.
I hate using that word, but let's go with it.
It's not that they have any okay it's not that they have any
like it's not that they have any i mean not i'm sure that i'm sure there are many fine hackers
in kathakistan right but like the government does not have a cyber war unit right it's it's not like
um you know they're not they don't have like what is israel's um 8200 yeah exactly they don't have like, what is it, Israel's... 8200.
Yeah, 8200.
Exactly.
They don't have...
Exactly.
But what they have is companies that do have this capability that are more than happy to
sell it to any nation state that will pay.
These four higher hacking teams really fascinate me.
And that's something I'm going to have to dig into for a future episode.
Because there are a lot of groups like this which will carry out hacks or spying or doing signals intelligence for clients.
Because we know this is something that, you know, digital surveillance, digital extraction missions, right, is the term they use.
We know that that is something Kazakhstan is interested in. All of the spear phishing emails seem to demonstrate like a pretty good knowledge of government of Kazakhstan or are the family members or associates of people involved in those disputes.
So we feel like we have a pretty good link to Kazakhstan, although it's all circumstantial evidence.
They also discovered some malware activity on mobile phones. What they found were files that looked like they were uploaded from mobile phones,
which led us to believe that there was probably a mobile component to this campaign, although we
never actually found at the time of publishing, we never found the mobile malware. Eva Galperin
was also a big part of this research. And you might know her from Twitter as EvaSide.
So Cooper and Eva put this data together and put it in a report called Operation Manal.
Again, Manal being a native cat to Kazakhstan.
And they just like cats, so why not?
The report was published and they gave a presentation at Black Hat, a big security conference in Las Vegas.
Our talk today is presented by Cooper Quinton and Eva Galperin.
Hi there. Welcome to When Governments Attack,
also known as I Got a Letter from the Government the Other Day
because I Couldn't Resist a Public Enemy Reference.
We're going to be talking a little bit about...
People were a little freaked out with this report,
concerned about how easy it is for Kazakhstan
to ramp up a cyber espionage program by outsourcing it. And people wondered how far does this spying
go? At the end of the Black Hat talk, Eva said, I'm fairly certain that Cooper and I are less
good at this than many of the people who are in this room right now. So I beg you to go look at
our report and see the many loose ends that we have left,
the many areas in which more research is needed. It would not be that difficult for people with
more skills than us and more resources than us to be helpful. And this call for help worked.
A few new people saw this report and looked into it and found some things that they
could help with. And when we come back, we'll hear what they found. more important than ever. I recently visited spycloud.com to check my darknet exposure and
was surprised by just how much stolen identity data criminals have at their disposal, from
credentials to cookies to PII. Knowing what's putting you and your organization at risk and
what to remediate is critical for protecting you and your users from account takeover,
session hijacking, and ransomware. SpyCloud exists to disrupt cybercrime with a mission
to end criminals' ability to profit from stolen data. With SpyCloud, a leader in identity threat
protection, you're never in the dark about your company's exposure from third-party breaches,
successful phishes, or info-stealer infections. Get your free Darknet exposure report at spycloud.com slash darknetdiaries. The website is spycloud.com slash darknetdiaries.
So, unbeknownst to us, two researchers at Lookout, the mobile security company, took an interest in this report.
And specifically, they took an interest in the part of the report that said,
we believe that there are mobile components to this based on exfiltrated mobile files that we found,
but we weren't able to find the samples. Lookout, being a mobile security
company, has a big database of mobile malware and of the samples and of the, you know, domains that
they've seen, the malicious domains that they've seen. So Mike and Andrew, the researchers at
Lookout, start combing through their database. And after a little while, they find some malware,
which is talking to the same domains that we had discovered in the Operation Mantle report.
So at this point, they reach out to us and they say, hey, we have this interesting mobile malware.
We would love for you guys to take a look at it. We think that it's related to Operation Mantle. The team at Lookout called this mobile malware Pallas, P-A-L-L-A-S, which
is the other name for the Mantle cat. So they decided to get together and come to an agreement.
Sort of our arrangement was, okay, they will look into the mobile malware. We will sort of consult
with them and think, you know, write a blog post together
and think about what this might,
you know, what this might mean geopolitically.
The team at EFF
and the team at Lookout,
they team up.
They find a couple of new things
related to this whole campaign.
So we were about to publish
a small blog post saying,
hey, we found some more mobile malware
related to Operation Mantle,
and here it is, and that's all, folks.
When I remembered that several months ago
when I was researching Operation Mantle,
we had found all the uploaded files from the malware,
from people's infected computers,
on the command and control
servers.
When Cooper was investigating Operation Manual, he watched how the malware behaved.
And he noticed that it does things like take screenshots and then uploads that to the command
and control server.
And it puts them in a specific directory.
Well, it just so happens that that directory was visible to anyone on the internet.
In other words, the data was in a location on the file system that you could visit with a web
browser without authentication or anything, without even an index file that would hide the file names. So you could basically, like, one of the servers was axroot.com
and, you know,
you would go to axroot.com
slash four letter campaign ID
slash pictures
and you would see the list of every
picture that had been uploaded
by that infection.
Whoa, this is a big deal. Cooper had the ability
to view and download all the data that
this hacking crew had stolen from its victims?
This is what Cooper used to build his report on, but forgot to mention it to the Lookout team until just now.
You know, I went to Lookout and said, oh, hey, do you think that it might be useful to look at some of this exfiltrated data?
And they, you know, their jaws dropped and they were like, are you kidding?
Yes. Why didn't you say this months ago?
Yes. Let us. Yes. jesus give us the urls you know this was like two days before we were going to publish this little blog post right i showed them the data we started looking at the data and we're
like oh wait there's actually something much bigger going on here this looks like a new a
totally new target like it was a target that wasn wasn't Kazakhstan related, is that what you're saying?
Exactly. It was a target that wasn't Kazakhstan related. We start downloading all of the data that
we can find and we end up with several gigabytes worth of data. It's pretty similar data from what we got before, you know, audio
recordings, video recordings, files. But we also found SMS messages, call records, WhatsApp,
Telegram, and Skype databases, and Wi-Fi details. This data provides the lookout team a lot more
information to investigate. But not only that, there appears to be more victims since the report was published.
And so the teams decided not to publish a blog post
because the investigation just got a lot more interesting.
Exactly. That's exactly what happened.
This is way bigger than what you're looking at.
So we start looking into this new data.
And we quickly discover that most of the infections are infections of people in Lebanon
or on the border of Lebanon and Syria looking through it it appears to be
mostly Lebanese civilians there's also um some military people in there. There's some activists in there.
Just a really wide swath of Lebanese site.
Okay.
When you see, like, okay, Lebanon, this is getting bigger.
What is going through your mind now?
Yeah, so now it's a
real mystery because previously we had assumed that you know this was the work of the work of
a company working on behalf of kazakhstan right but why would the government of kazakhstan be
spying on Lebanese citizens?
What's the relation between Kazakhstan and Lebanon?
There's not much of a relationship, actually.
Or vice versa, right?
If this is the Lebanese, why would they be spying on Kazakh dissidents?
This is kind of blowing the theory now that the hackers behind this
might be from the Kazakhstan government.
All of a sudden, the motives and signals just don't add up. The teams keep analyzing the data, poring through gigs of photos and text messages and
emails and keystrokes and Wi-Fi hotspot data and more.
Everything this malware would upload to the servers, the team would then download and
take a look at it.
Then they found another victim, a Vietnamese cigarette importer, and this confused
them even more. Around this time, Lookout positively identifies the mobile malware being
used in this hacking campaign. Typical spyware mobile malware will enable the microphone,
copy text messages, emails, turn the camera on,
read your private messages, that sort of thing. But what's interesting about it is that it is
masquerading as encrypted messaging applications. So the malware is disguised as copies of WhatsApp, Signal, Telegram, Tor, and Threema.
And the attackers have actually set up a website called secureandroid.info
that has the backdoored Trojanized copies of all of these apps.
Doing a little bit more investigation, the teams figured out how this whole thing went down.
The hackers would send an email or a text
to an Android phone user saying,
hey, we need to talk, but let's do it in a secure way.
Download WhatsApp from this URL
and then we can have a secure chat.
And the link to download the app
would be to the hacker's version of WhatsApp.
And the really interesting thing is,
so these were all,
in addition to being spyware, working versions of the app still. So, you know, when you downloaded
this fake version of WhatsApp or this fake version of Signal, you would be able to use it like the
real version of WhatsApp or of Signal, but it would also be spying on you in the background,
decrypting your encrypted messages
and sending them to the command and control server.
The teams at Lookout and EFF
kept seeing more and more data being uploaded
to the command and control servers,
which gave them so much more stuff to go through.
They were seeing many more than six domain names
that were being run by this hacker crew.
We found over 20 domains
that were connected with this campaign.
And the domains were things like
AdobeAir.net,
TweetsFB.com,
of course, SecureAndroid.info,
which is hilarious to this day
because all it had was InsecureAndroid.
ArabLives.com and the one I mentioned before, axroot.com, skypeupdate.com, and a bunch more.
Each of these sites had a different purpose in this attack.
For instance, secureandroid.info was where emails would point the victim to download the malicious program.
And Tweetsfb.com had exact replicas of the Twitter and Facebook login pages,
which were probably used to trick users to enter their username and password in order to steal their logins. And some of these other domains were used to upload the stolen data to. And the
whole time, tons more victims are being hit with this, which means tons more data is being uploaded to
these servers. Data which Cooper and the team can see. And we find just a massive amount of data,
right? We found 81 gigabytes of data just on adobeair.net. Oh my gosh. It's like all adding
up in my head now. you have behind the scenes access
to all the files these hackers are stealing and it's tons of data and it's very sensitive
private stuff are you like downloading it all and looking at it yeah and it's you know it's it's
you know i'll tell you jack it's really really, it's heavy stuff to look at.
Because you have to look through all this data to figure out who the victims are, who the threat actors are.
And you're really looking through people's very personal data.
You start looking through the pictures uploaded from people's phones.
And you see pictures of people's kids and like pictures from war zones you have to find ways to look at all these things to try to
figure out what's going on here and try to figure out you know are these victims related to each
other in some way why are they being spied on and it's awful you know, you feel like a terrible human being and you have to stop.
So the team combs through the data, photo by photo, text by text, and they would piece together the puzzle.
They would figure out how the victim got infected by looking for suspicious text messages of people asking them to download an app.
And they try to find info on this victim, like where they are in the world and what their job was,
and why they might be the target for this kind of spyware attack.
Exactly.
Well, you know, at some point what we did was just started to write a script
that would take the IP addresses of all the victims and, you know, map them out in the world.
Using geo IP lookup tools, you can see what city that IP comes from in the world. Using geo IP lookup tools, you can see what city that IP comes from in the world. And the map
they made displayed victims being all over the world, not just Kazakhstan and Lebanon, but so
many more countries. In this map, we've got victims in Lebanon, Kazakhstan, the United States, China, France, Germany, India, Italy, Jordan, Nepal, the Netherlands, Pakistan, the Philippines, Qatar, Russia, Saudi Arabia, South Korea, Switzerland, Syria, Thailand, Venezuela, and Vietnam.
Holy cow.
All over the world.
How many countries are there?
So we found victims in a total of 21 countries all over the world.
Okay.
So at this point, it's a global threat.
What are you thinking at this point?
So at this point, we're thinking, wow, whoever this is,
they have a really large operation going on here.
And it's starting to seem less and less likely that this is the work of any one government directly.
What one government would have an interest in spying on so many different people in so many different countries yet have such low tech hacking tools
and techniques good point yeah such bad operational security right like you can think of several
governments that might have interest in spying all over the world right russia china the u.s China, the US, Israel. But they all have fantastic hackers working for them.
They wouldn't be caught dead with such an amateurish operation.
Trying to figure out who's behind this attack is hard.
But there's one method you could use to try to figure it out.
And it's called the diamond model.
Picture a shape of a diamond in your head.
It has four points, right?
Well, each point represents one piece of the puzzle.
Who did it?
How did they do it?
Who did they do it to?
And what tools did they use to do it?
In this case, we don't know who did it, but we do know the rest.
How they did it was using the malware that was found.
Who they did it to, well, there's a list of victims around the world.
And what they used was 20 different domains and a couple command and control servers.
So this is sort of like algebra.
And you want to solve for who's doing the hacking.
We know three of the parts of the puzzle.
And just knowing that helps us narrow this down a lot.
Since the victims were all dissidents, activists, lawyers, and journalists.
And the point of the malware was simply to spy on these people.
We know it's probably not a profit-driven hack.
So you rule out, like, common criminals.
Then you can start assuming this is, like, a nation-state actor carrying out these attacks.
Because who else would want to spy on activists and journalists exposing corrupt governments?
But because the malware and tools are not that sophisticated,
and they didn't secure their command and control servers very well,
it doesn't seem like a very good group of hackers, which kind
of rules out the more advanced nation-state
actors. And this is the sort of
path that you go down when you try to figure out
who's behind something like this.
This is called attribution.
I mean, it's
at some point, are you like hard, is it
hard to sleep at night while you're researching this? Like, I mean, at some point, is it hard to sleep at night while you're researching this?
I mean, digging into the back door of a threat actor's server and then seeing the size of this, you can't just lay down and go to bed like a baby.
Oh, no, no. This definitely took up all of my brain space, all of my time, all of my thinking power for several months while I was working on it.
There was really nothing else.
Sleeping and thinking about who might come for us once we published this report was definitely me.
As the team at Lookout was putting this report together, they realized a problem.
This whole hacking campaign was still active and live.
And if they published this report, it might mean that other people could figure out where
this command and control server was, then they could see all the sensitive stuff that
was stolen
from the victims. So Michael, the researcher at Lookout, emailed the hosting provider where the
server was being hosted from and informed them of this hacking going on and asked them to take the
server down. But the hosting provider protected their users and instead of taking the site down,
they forwarded the email to the hacker. the hacker read this and emailed michael at lookout
denying the whole thing saying that their software does not contain any malware and asked why they
thought it was malicious so michael emails the hacker back and said hey maybe you've gotten
hacked and your domain has been infected and we'd love to take a look at it and help you fix your
security on your website a bit cheekyy, but okay, I get it.
But no response from the hacker.
A couple of days later, when we're looking at one of the infection URLs that we had previously found,
we find that the URL has been replaced with a web page that says, hi, Michael.
Michael being the name of the researcher at Lookout that had emailed them.
Oh, interesting. So the hacker knew that Michael was onto them, but the hacker kept hacking and didn't secure their site.
It's like they didn't care if they were being watched. The other amazing thing that they have left open
is they left open this page called Apache Stats,
which shows you in real time the logs of the server.
It shows you in real time every URL that's being visited
and the IP address that's visiting that URL.
So we started logging all the URLs
and logging all the IP addresses. And through that,
we were able to get the IP addresses of the people visiting the admin URLs for the server.
Oh, now this is getting good. Knowing the IP addresses of who's connecting as an admin to
the server will possibly give them a sense of what region in the world these hackers are in.
By this point, the EFF and lookout teams have gathered so much evidence and information from this hacking crew.
Here's a list of the stuff they gathered.
264,000 files.
486,000 SMS messages.
250,000 contacts.
150,000 call records. 92,000 browsing history URLs, 1,000 authentication
accounts, username and password combinations, and 206,000 unique Wi-Fi SSIDs.
Hackers had collected all this information from their victims, and the teams at EFF and Lookout scraped all this data from that website and analyzed it.
And this is a massive amount of information to analyze. They had to build new tools to help categorize and organize the data.
And while looking at this data, some of it suggested that the phones may not have been infected through phishing, since there were no phishing text messages or emails. Instead, some people's
phones appear to have been confiscated, like at a border crossing or an airport, because after that,
the phone would then become infected, and the first text messages uploaded to the hacker's
servers were things like, I just got my phone back. With all this information collected,
the EFF and lookout teams decided to switch their attention to try to figure out who's behind this.
So, well, so we start by looking at the IP addresses of the people that were logging into
admin sections of the command and control servers. And looking at those IP addresses,
they were all from Ogero Telecom, which is owned by the government of Lebanon. And geolocating those IP
addresses, they were specifically located in Beirut, in the museum district in this sort of,
you know, downtown Beirut. We were a little bit stuck there, right? We were like, why would people
in Lebanon be spying on, I mean, it makes sense why they'd be spying on Lebanese people. Why would people in Lebanon be spying on, heat map, which is like a spreadsheet to
see if any infected phones had connected to the same SSIDs. When we graphed them out, we saw one
big cluster of phones connecting to several different Wi-Fi access points, and then one
little cluster where a few phones,
a few different infected phones,
had all connected to the same Wi-Fi access points.
We looked at those phones deeper,
and we discovered that they were all the first infected phones
that had uploaded to the server.
They looked at the data that these first infected phones had sent to the command and control server, and it all seemed like dummy data.
Like they were test text messages and test emails and testing the downloading of infected apps.
So we looked at those test devices and they had all connected to this Wi-Fi called BLD3F6, which we took to mean possibly building three floor six.
Okay, so the team has a Wi-Fi SSID, BLD3F6.
We'd like to know where in the world this SSID is being broadcast.
And you know what? There is a way to figure that out.
There's an Android app called Wiggle, W-I-G-L-E.
And hundreds of thousands of people install it and then drive around your town,
your neighborhood, your street,
and map out every SSID that's being broadcast.
And this data is then uploaded to Wiggle's website
for everyone to see.
So if you have an SSID
and want to know where it is in the world,
you can cross-reference it with this website
to find its location.
We looked up the access point in Wiggle, and the access point is also in downtown Beirut,
in the museum district, centered near this big orange building and the French cultural
embassy and a museum and a college.
Whoa, these clues are really stacking up now.
We wanted to find out more. We wanted to find out more.
We wanted to find out exactly where this was.
So we sent somebody to Beirut
to actually put boots on the ground
and use a wireless antenna
and figure out exactly what building
this Wi-Fi was coming from.
Jeez. Wow.
This is a
spy mission now. Yes.
Yes. Suddenly this has turned into
an international espionage mission.
What that
person found was
that BLD3
F6 was coming
from the Big Orange Building.
That Big Orange Building was in the museum District in downtown Beirut, Lebanon.
Which, by the way, was the only building around with six or more floors.
It is the headquarter of Lebanon's General Directorate of General Security.
Whoa.
The Lebanese General Directorate of General Security is one of Lebanon's intelligence agencies.
Its job is to collect intelligence to ensure national security and public order.
Exactly. So what we have now is a bunch of test devices that had only ever connected to this one Wi-Fi access point.
And no other phones that were infected had connected to this access point.
This access point was in a building belonging to the General Directorate of General Security.
GDGS is like Lebanon's FBI, CIA, and NSA and Border Patrol all rolled up into one.
So while it's not a smoking gun, it strongly suggests that the Lebanese government is behind all of this hacking. If you remember earlier, I said that
one of the pieces of malware used in this was written by a hacker named Prince Ali.
Oh yeah, I do remember. Prince Ali wrote the Banduk malware you found earlier. I remember
because Prince Ali is also the fake name Aladdin uses in the movie.
Prince Ali is based in Lebanon.
And we know that if you remember way back many years ago,
when the hacking team emails were leaked by Phineas Fisher.
I'll have to cover a hacking team more in another episode because it's a good story.
But for now, just know there's a company
calling themselves the Hacking Team,
and they're hackers for hire, essentially.
And they often work for high-profile clients
like government agencies.
And one day, someone hacked into Hacking Team
and exposed a lot of emails
letting us know what goes on in that company.
One of the people that shows up in those emails
is Prince Ali,
applying for a job at Hacking Team.
Another thing that shows up in those emails is Lebanon trying to hire Hacking Team to do some hacking
and Kazakhstan trying to hire Hacking Team to do some hacking.
So if I'm putting these pieces together, Ali may have gotten a job at Hacking Team.
Well, this isn't really Hacking Team's MO.
We think that Hacking Team rejected Prince Ali and he or somebody else that knows him has started their own full service
hacking company.
They will deploy the malware, they will run the servers,
they will get the data, they will do the
hacking, and they will write the reports for you.
Wow. So the evidence is suggesting that the
Kazakhstan and Lebanese governments both hired this same crew to do spying on behalf of the
government. And maybe Prince Ali is one of the members of this crew. And perhaps hiring contractors
like this gives the government an easy out to deny their involvement, like hacking by proxy.
It's crazy. Is there a name for someone who does this?
I've been trying to popularize the term cyber mercenaries.
I really want to sort of convey, you know,
just how shady these companies are, right?
And I feel like cyber mercenary kind of does that.
I'm starting to think Prince Ali is the common thread to all this.
Figure out who he is and who he's working for and everything will unravel.
What we know, you know, after this campaign is that somebody was hacking,
doing hacking on behalf of both Lebanon and Kazakhstan.
Some of that hacking took place directly out of the Lebanese GDGS offices.
And one of the malware authors is Lebanese.
And they also have a list of who the victims are and what kind of malware was used here.
Those are the facts that we have. And, you know, sort of the picture that we've put together from that, this is a new company who has contacts with the GDGS, but also was able to figure out contacts with Kazakhstan and also has some other potentially crime campaigns going on or potentially other espionage campaigns
going on in Vietnam
and has also victims in the US
and in other parts of the world.
And let's not forget that
the leaked government official Kazakhstan emails
show that the government of Kazakhstan
was working with Arcanum,
a hacker group for hire
or a cyber mercenary group.
And they also tried hiring the hacking team to do work.
So it's now known that Kazakhstan does do stuff like this.
And perhaps Prince Ali got a contract with GDGS
and demonstrated to them on the sixth floor
how he can hack into their phones.
And that's why they were the first targets.
And then this malware has sort of a self-service feature to it.
So clients can just go log in the command and control server and see what's been uploaded. That's why the logins all seem to be coming from
this orange building in downtown Beirut. At this point, the teams at EFF and Lookout feel like
they've collected enough new information to publish not just a blog post, but a 49-page
report outlining all of this. And they called that report Dark Caracal.
Caracals are another cat.
Specifically, the Caracal is native to Lebanon.
And we called it Dark Caracal
because this whole thing is such a mystery.
It's all very dark and mysterious.
We don't know, really, in the end,
we don't know who is behind this, right? We don't know really in the end, we don't know who is behind this,
right? We don't know anything about this, you know, what we presume is a company that's selling,
selling this service to all of these countries. We just know, you know, we see sort of the shadows
of it, but we can't look directly at it. It's so much, it's, it just seems so like big and
shadowy, like, oh yeah. Yeah. To try to, to try to put perspective on it. It's so much it's it just seems so like big and shadowy like oh yeah yeah to try to to try to
put perspective on it it's so difficult because it's just so hidden right and you only get like
uh you know a couple tent poles here and there that you see but you don't really get to see
what's under the tent exactly it's yeah you know there's there's so much more that I want to know. So, for example, you know, so Prince Ali wrote Bandook, right?
And Bandook has a very specific signature in the way that it communicates with the command and control server.
Okay.
Right.
It always uses plain text beginning with three at signs and then till these to separate each field of data
okay and when we looked at the mobile malware which we called dark caracal and when we looked
at um another brand new rat that we found uh in in researching dark caracal. And this looks very similar to J-Rat,
but it looks like somebody took a stab
at writing, you know,
sort of writing from scratch
their own version of J-Rat.
So the interesting thing
is that CrossRat, Bandook,
and the Dark Caracal mobile malware
all use the same scheme
to communicate with the command and control servers.
Ooh, yeah, that's another big clue, I'd say.
They all start with this at symbol,
and then they all have their fields separated by a tilde and an exclamation mark,
and they have very similar fields to each other.
So it looks like the same person wrote all of this malware.
And we know that Prince Ali wrote Banduk.
This is like, you remember playing the game Clue?
Oh yeah, absolutely.
It's like a real life game of Clue.
So we released the report.
We talked to a number of journalists.
Specifically, we talked to some journalists at the Associated Press, who are some of the bravest journalists I know, because they actually went to the GDGS headquarters, confirmed that the BLD3F6 Wi-Fi access point was there at the headquarters and then knocked on the door of the headquarters
and demanded that the GDGS respond to the allegations
in this report. GDGS told them
to go away, that they didn't have any comments, except that it was
probably all fake. The next day, the
AP reporters went back and the BLD3F6 Wi-Fi had mysteriously
disappeared. The AP reporters kept pushing GDGS to make a comment about this report,
and the Director Major General of the General Directorate of General Security responded. Yeah, so basically the director of GDGS said,
we didn't do any such thing as is implicated here in this report. And even if we had,
it would have been all entirely legal and for the good of the country of Lebanon. And furthermore, this is clearly a CIA or Mossad plot to defame
Lebanon. I've been accused of many things, but this is the first time I've been accused of being
a CIA and Mossad shill. So the news of this dark caracole campaign was pretty important. This hit
all the major news outlets and it was a big deal to discover. Yeah, so we gave a presentation about this at ShmooCon in Washington, D.C.
And they gave a presentation at the Kaspersky Summit in Mexico,
where they had all four of the people from the team to give the presentation on stage there.
The core team that researched this, the core four authors,
were myself and Eva, and on the lookout side, Mike Flossman and Andrew Blach.
So after seeing the success of this research from Cooper and Eva,
this paved the way for EFF to create Threat Lab.
There clearly is a need for more research to be done into the spyware
that's targeting at-risk communities and activists.
And research like this helps us all become more aware of the threats
that are lurking in the shadows of the internet.
I don't think this dark caracal hacking crew is anywhere close to being done.
I think this is the new world we face, where corrupt governments are treating activists and journalists and human rights lawyers as the enemy to the country.
And it's becoming easier than ever for a country to just ramp up its digital spying capabilities by outsourcing
the job to cyber mercenaries. And if this report blew the cover for this hacking crew,
the government could just hire the next one in line and start over. Whatever is going on,
it's just out of focus, just out of reach. We have this illusion that our computers and phones
are safe, but when a nation-state actor becomes your personal threat actor,
your life is anything but safe.
I think the internet and computers are the most magical and amazing things I've ever experienced.
I'm deeply in love with it all.
But stories like this remind me that the owls aren't what they appear to be.
When you look down the long ethernet cable into the dark part of the net,
the Darknet sometimes looks back.
You've been listening to Darknet Diaries. Thanks so much to cooper for sharing this story with us
you can follow him on twitter at cooper q to see so many more interesting things that the threat
lab is doing also big thanks to eva galperin andrew blach and michael flossman for the research that
went into this report it's amazing great stuff oh and another thing that came out of this threat
lab at eff was that eva galperin has called for antivirus companies to flag stalkerware as malware.
This is like commonly acquired software that's used to target domestic partners
to spy on everything they're doing.
And so far, Kaspersky and Lookout have agreed and are now flagging this as malware.
So we have the EFF to thank for help mitigating stalkerware on phones.
The threat lab also has an investigative
journalist, Dave Moss, who's looking into whether there's any unlawful spying going on in law
enforcement. Clearly, the team in the EFF Threat Lab is doing amazing work at investigating and
exposing various kinds of spyware, and their efforts are making us more aware and safer as a
society. Their work is far-reaching and impactful, and let me emphasize, EFF is a non-profit digital
rights organization, so if you think their work is valuable,reaching and impactful. And let me emphasize, EFF is a non-profit digital rights organization.
So if you think their work is valuable, consider becoming a member and donating to help their cause.
Or you can help the EFF by simply giving some of your time.
Go to eff.org slash darknetdiaries to learn more.
Oh, and if you want to hear another story from the EFF, check out episode 12 of this podcast,
where I go over their involvement in the crypto wars.
This episode is created by me,
the Cybertooth Tiger, Jack Recider, and editing this episode is done by the dark Damien.
Theme music is by the shadowy Breakmaster Cylinder. See you in two weeks.