'First-ever' Arab cyber group targets regional orgs
Known as Desert Falcons, group have been able to attack more than 3,000 victims
Kaspersky Lab researchers have released details of what they say is "the first known Arabic group of cyber mercenaries to develop and run full-scale cyber-espionage operations".
Named the Desert Falcons, researchers have estimated that at least 30 people, in three teams, spread across different countries are operating the malware campaigns and, the attackers behind the Desert Falcons are native Arabic speakers.
Dmitry Bestuzhev, security expert at Kaspersky Lab's global research and analysis team said: "The individuals behind this threat actor are highly determined, active and with good technical, political and cultural insight. Using only phishing emails, social engineering and homemade tools and backdoors, the Desert Falcons were able to infect hundreds of sensitive and important victims in the Middle East region through their computer systems or mobile devices, and exfiltrate sensitive data.
"We expect this operation to carry on developing more Trojans and using more advanced techniques. With enough funding, they might be able to acquire or develop exploits that would increase the efficiency of their attacks," he added.
Believed to be active for at least two years, the campaign's targeted victims include: military and government organisations, particularly employees responsible for countering money laundering as well as health and the economy; leading media outlets; research and education institutions; energy and utilities providers; activists and political leaders; physical security companies; and other targets in possession of important geopolitical information.
The Desert Falcons, who's peak activity was registered at the beginning of 2015, have been able to attack more than 3,000 victims in over 50 countries globally, with over one million files stolen.
According to Kaspersky, the main method used by the Falcons to deliver the malicious payload is spear phishing via e-mails, social networking posts and chat messages.
Phishing messages contained malicious files or a link to malicious files masquerading as legitimate documents or applications.
After the successful infection of a victim, Desert Falcons would use one of two different Backdoors: the main Desert Falcons' Trojan or the DHS Backdoor, which both appear to have been developed from scratch and are in continuous development.
The malicious tools used have full Backdoor functionality, including the ability to take screenshots, log keystrokes, upload/download files, collect information about all Word and Excel files on a victim's Hard Disk or connected USB devices, steal passwords stored in the system registry (Internet Explorer and live Messenger) and make audio recordings. Kaspersky Lab experts were also able to find traces of activity of a malware which appears to be an Android backdoor capable of stealing mobile calls and SMS logs.