Desert Falcon Group Swooped on One Million Files

Written by

Kaspersky Lab has unearthed what it claims to be the first major group of sophisticated Arab cyber-criminals operating a full attack campaign – hitting thousands of tactical targets in the Middle East.

The so-called Desert Falcon group first formed in around 2011 and consists of at least 30 operatives split into three teams spread out across multiple countries.

They’ve managed to attack over 3000 victims in more than 50 countries worldwide, lifting more than one million files since operations properly began in 2013, the report claimed.

The range of targets pinpointed by the group apparently had “clear political, geographical and social distinctions between them,” although the campaign focused mainly on gathering political and military intelligence.

They included military and government, media, activists, research institutions, energy firms and financial institutions in mainly Egypt, Palestine, Israel and Jordan.

Kaspersky Lab said it came across the group while it was investigating another attack in the Middle East.

It was immediately struck by the sophistication of the group, which used a variety of different tools and techniques to infect, spy on and track its targets.

For example, they sent spear phishing emails with carefully labelled attachment names designed to socially engineer the recipient into opening them, and even created new social media accounts to run targeted attacks through Facebook chat.

Desert Falcon also created its own backdoor trojans to lift screenshots, keylogs, files, passwords, audio and other key information from victim PCs and Android mobile devices, Kaspersky Lab said.

However, despite its sophistication, the group didn’t exploit any zero-day flaws in its attacks, and managed to let slip some details of its operatives.

The report reveals:

“The identities of some of the cybercriminals were found when inspecting the contents of one of the C&Cs which had public read permissions open for a short period of time. We were able to track and identify the full profile of some of the attackers including Facebook and twitter accounts, private blogs and websites. Surprisingly the attackers have published on Twitter some information about their development of the spyware and the command servers.”

From this detail and the language used in the malware and phishing attacks, Kaspersky deduced the group was Arabic – operating mainly from Palestine, Egypt and Turkey.

"The victims of the attacks to date have been carefully chosen; they are active and influential in their respective cultures, but also attractive to the cybercriminals as a source of intelligence and a target for extortion,” the report claimed.

“Falcons’ threat actors are determined, active and have good technical knowledge. We expect their operations to carry on developing more Trojans and using more advanced techniques. With enough funding, they might be able to acquire or develop exploits that would increase the efficiency of their attacks.”

The Desert Falcon revelations come just a day after the Russian AV firm revealed what it claimed could be the longest running and most sophisticated cyber-attack group in history: Equation.

If nothing else, the reports should be a warning to CISOs to adopt a more proactive defense posture including advanced detection and response tools, as well as more traditional threat prevention products.

Kaspersky Lab principal security researcher, David Emm, told Infosecurity that staff awareness raising and education is also vital.

“The Desert Falcons attacks make heavy use of social engineering – tricking people into loading malicious code. So it’s important that organizations in the region take account of this when developing their security strategy,” he added.

“Since the human factor is so important in this and other targeted attacks, organizations must find imaginative ways to ‘patch’ their human assets, to reduce the success rate of social engineering-based attacks.”

What’s hot on Infosecurity Magazine?