Cyber espionage group `Desert Falcons` stole over 1 mln files from 50 countries
A cyber-espionage group based in the Middle East has attacked more than 3,000 victims in about 50 countries across the globe, including India, and has stolen over one million files in the process. Desert Falcons, a cyber espionage group targeting multiple high profile organizations and individuals from Middle East countries, is believed to be the first known Arabic group of cyber mercenaries to develop and run full-scale cyber-espionage operations and was discovered by Kaspersky Lab’s Global Research and Analysis Team.
Experts have multiple reasons to believe that the attackers behind the Desert Falcons were native Arabic speakers and at least 30 people, in three teams, spread across different countries, were operating the Desert Falcons malware campaigns. The group started developing their operation in 2011 with real infection beginning in 2013. The peak of their activity was registered at the beginning of 2015.
The hackers attack Windows PCs and Android-based devices using proprietary malicious tools such as, spear phishing via e-mails, social networking posts and chat messages. Phishing messages contain malicious files (or a link to malicious files) masquerading as legitimate documents or applications. The group is believed to use several techniques to entice victims into running the malicious files. One of the most specific techniques is the so-called right-to-left extension override trick.
The malicious tools used have full Backdoor functionality, including the ability to take screenshots, log keystrokes, upload/download files, collect information about all Word and Excel files on a victim’s Hard Disk or connected USB devices, steal passwords stored in the system registry (Internet Explorer and live Messenger) and make audio recordings. Experts have also found traces of activity of a malware which appeared to be an Android backdoor capable of stealing mobile calls and SMS logs.
Using these tools the Desert Falcons have launched and managed at least three different malicious campaigns targeting different set of victims in different countries.
Dmitry Bestuzhev, security expert at Kaspersky Lab’s Global Research and Analysis Team said, “The individuals behind this threat actor are highly determined, active and with good technical, political and cultural insight. We expect this operation to carry on developing more Trojans and using more advanced techniques. With enough funding, they might be able to acquire or develop exploits that would increase the efficiency of their attacks.”
The list of targeted victims include Military and Government organizations – particularly employees responsible for countering money laundering as well as health and the economy; leading media outlets; research and education institutions; energy and utilities providers; activists and political leaders; physical security companies; and other targets in possession of important geopolitical information.
The main focus of Desert Falcons’ activity appears to be in countries such as Egypt, Palestine, Israel and Jordan, multiple victims were also found in Qatar, KSA, UAE, Algeria, Lebanon, Norway, Turkey, Sweden, France, the United States, Russia and other countries.