Arab hackers known as Desert Falcons have stolen over 1 million files in 50 countries. It’s possible that this hacking groups could be government-backed. According to the Times of Israel website and David Shamah, Desert Falcons, which “distinguish themselves from the Gaza porn-hacker group and other lesser cybercriminals by the highly advanced methods they use to attack high-security sites and in the amount of damage they have caused. According to the researchers, the group, which has been operating since 2011, but only recently got into the full swing of hacking, have stolen over a million files from some 3,000 victims in 50 countries. Those include countries throughout the Middle East and Europe, but their main focus has been Israel, the Palestinian Authority and Egypt, targeting military and government organizations — particularly employees responsible for countering money laundering — as well as leading media outlets, research and education institutions, energy and utilities providers, activists and political leaders, physical security companies, and other targets in possession of important geopolitical information.”
The researchers said they had identified several of the hackers, and while not revealing their identities, said they were mostly residents of the PA, Turkey, and Egypt. They have also been surprisingly open about their exploits, using Twitter and other social media to brag about their exploits. They all appear to be native Arabic speakers, Kaspersky Lab said.
The level of sophistication and the sites they were targeting, the researchers said, indicated that they were being sponsored by someone – maybe a criminal organization, or maybe even a government.
According to the Wall Street Journal, “The smash-and-grab information attacks have been ongoing since the middle of 2013 and can be traced back to Gaza via network infrastructure in Germany, the report says. Trend Micro said the campaigns were part of an ongoing increase in what it labels “cyber militia activity” across the Arab world as non-state actors surreptitiously fight against organizations traditionally deemed enemies. Arid Viper targeted Israeli government offices, transport service and infrastructure providers, a military organization, and an academic institution in Israel, as well as Israeli individuals, the Trend Micro report said, without disclosing details. The campaign sent simple spear-phishing emails with attachments that included a pornographic movie and a file sporting the icon of Internet voice call service Skype. “Operation Arid Viper was unusual in that it had a pornographic component in hopes of taking user focus away from the infection,” Trend Micro said in the report. It targeted professionals who might be receiving inappropriate content at work and so would hesitate to report the incident, allowing the malware to do the business. The malware proceeded to steal documents from infected systems, according to the report. Trend Micro also unearthed another less-sophisticated campaign called Operation Advtravel, which was hosted on the same servers in Germany and was also linked to the Gaza Strip. It infected hundreds of personal laptops and appeared to be the work of beginners.
Trend Micro believes there could exist a sophisticated umbrella hacker group that is supporting lesser-educated hackers to conduct attacks.
“There may be an overarching organization or underground community that helps support Arab hackers fight back against perceived enemies of Islam,” the report concluded.
“The profiles of the targeted victims and the apparent political motives behind the attacks make it possible that Desert Falcons operations could be nation-state sponsored. At present, though, this cannot be confirmed,” the researchers said.
While the methods of entry into systems were similar to other major hacks — spear phishing via e-mails, social networking posts and chat messages that contained malware or links that when clicked dumped viruses on systems — the hackers took advantage of the right-to-left structure of Arabic and Hebrew to deliver files that would be very hard for anti-virus programs to catch. “This method takes advantage of a special character in Unicode to reverse the order of characters in a file name, hiding the dangerous file extension in the middle of the file name and placing a harmless-looking fake file extension near the end of the file name,” said the researchers. “Using this technique, malicious files (.exe, .scr) will look like a harmless document or pdf file; and even careful users with good technical knowledge could be tricked into running these files. For example, a file ending with .fdp.scr would appear .rcs.pdf,” which would get through a spam or virus detector parsing for suspicious files,” they said.
In addition, the hackers wrote their own original malware tools – unlike the vast majority of “script kiddie” hackers, who use off-the-shelf tools – again indicating a high level of sophistication. The malware was able to take screenshots, log keystrokes, upload/download files, collect information about all Word and Excel files on a victim’s hard disk or connected USB devices, steal passwords stored in the system registry and make audio recordings. Kaspersky Lab experts were also able to find traces of activity of a malware, which appears to be an Android backdoor capable of stealing mobile calls and SMS logs. Using these tools, the researchers said, the Desert Falcons launched and managed at least three different malicious campaigns targeting a different set of victims in different countries. Who they really are, and especially who they are working for, may never truly be known – it’s possible that the identity information culled by the researchers may be completely fake, after all. Regardless, the hackers are a formidable group and represent a major advance in cyber insecurity for Israel and other countries targeted, said Dmitry Bestuzhev, security expert at Kaspersky Lab’s Global Research and Analysis Team. “The individuals behind this threat actor are highly determined, active and with good technical, political and cultural insight. Using only phishing e-mails, social engineering and homemade tools and backdoors, the Desert Falcons were able to infect hundreds of sensitive and important victims in the Middle East region through their computer systems or mobile devices, and exfiltrate sensitive data.
“We expect this operation to carry on developing more Trojans and using more advanced techniques,” Bestuzhev added. “With enough funding, they might be able to acquire or develop exploits that would increase the efficiency of their attacks.”