Lebanon’s internal intelligence agency appears to have been caught spying on thousands of people — including journalists and military personnel — in more than 20 countries, according to researchers at the Electronic Frontier Foundation and Lookout, a mobile security company.
The spy operation, revealed on Thursday, is among dozens around the world uncovered by human rights groups and technical organizations in recent years as governments and intelligence agencies have started relying more on mobile and desktop spyware than on traditional forms of cloak-and-dagger espionage.
The researchers found what they said was evidence that Lebanon’s intelligence agency — called General Directorate of General Security, or GDGS — spied on their targets’ Android mobile devices and desktop computers using various methods for more than six years. Their primary attack method, researchers said, was through a series of decoy Android apps designed to look like widely used private, secure messaging services such as WhatsApp and Signal.
Once downloaded, the apps allowed spies to steal nearly everything off their victims’ phones, including text messages with one-time passcodes for accessing email and other services, as well as contact lists, call logs, browsing history, audio recordings and photos. The apps also let the spies take photos using the phone’s front or back camera, and turned the device into a silent microphone to capture audio. The apps were not designed to target Apple iPhone users.
“One of the main takeaways from this investigation is that actors, like Dark Caracal, are shifting away from a pure desktop capability for espionage to now relying heavily on mobile tools to gather their intelligence,” said Michael Flossman, a security analyst at Lookout, referring to the name that he and other researchers coined for the Lebanese spies they said were most likely responsible for the espionage.
GDGS is Lebanon’s main internal intelligence agency, and its director, Maj. Gen. Abbas Ibrahim, a career army general, has a rising profile and a broadening portfolio. The agency oversees residency permits for foreigners, from diplomats and tens of thousands of Southeast Asian domestic workers to more than a million Syrian refugees. The agency’s expertise and clout has traditionally been seen as stemming from its human intelligence, not from high-tech espionage techniques.
Speaking ahead of the report’s publication, General Ibrahim told Reuters: “General Security does not have these type of capabilities. We wish we had these capabilities.” GDGS did not return a call for comment on Thursday.
Researchers at the Electronic Frontier Foundation and Lookout began collaborating to uncover what they believed was a likely nation state spy campaign in 2016. That year, the Electronic Frontier Foundation released a report documenting a spy campaign against journalists and activists who had been critical of the authorities in Kazakhstan. The campaign included technology used to spy on Android users. Lookout, which focuses on mobile device security, offered to help.
Together, researchers tracked the spying to command and control servers operated by the attackers. The researchers looked at who had registered the servers and when, as well as the dates of some of the stolen content. They deduced that the campaign had been going on for as long as six years.
The attackers were targeting journalists and activists, as well as government officials, military personnel, financial institutions, defense contractors and others in 21 countries. Those countries included the United States, China, Germany, India, Russia, Saudi Arabia, South Korea and inside Lebanon.
The researchers traced the attacks to a building in Beirut that houses Lebanon’s GDGS, using Wi-Fi networks and so-called internet protocol addresses assigned to attackers’ machines. While researchers said they could not be sure whether the attacks were the work of the GDGS or rogue employees, many of the attacks appeared tied to an email address — firstname.lastname@example.org — that had been linked to various online personas, including “Nancy Razzouk” and “Rami Jabbour.” All of the physical addresses listed with registrations made by that email account were clustered around the GDGS building in Beirut, according to the user’s wireless activity.
Emails sent to that email address were not returned.
As part of their work, researchers found evidence that Lebanese spies were directing victims to install the spy apps through WhatsApp messages that began innocuously with a “How are you?” Those then linked to the spy apps with additional messages like “You can download from here to communicate further.”
In other cases, the spies found their targets on Facebook, inviting them to Facebook groups, where they posted links to their decoy apps, which they often referred to by names like “WhatsApp plus.” The spies also directed victims to fake login sites for social media services like Twitter and Facebook to steal their credentials, hijack their accounts and push out trick messages to more people.
Researchers also found evidence that Lebanese officials had previously used FinFisher, a product manufactured by the British company Gamma International, which sells surveillance tools that let customers turn computers and phones into listening devices to monitor a target’s messages, calls and whereabouts. Increasingly, researchers discovered that the spies had built their own custom mobile spy tools that were less sophisticated than FinFisher but as effective in getting the intelligence they were after.
Martin J. Muench, the managing director of Gamma International, has told The New York Times that his company only sells surveillance tools to governments for criminal and terrorism investigations. The Times has covered several instances in which Mr. Muench’s tools have popped up on devices used by journalists and activists. Gamma Group did not respond to a request for comment on Thursday.
Researchers also uncovered evidence that Lebanese officials deployed several variants of malware to victims’ desktop machines; the malware was designed to work across several operating systems, including Microsoft Windows, Apple’s Mac and Linux. That malware could steal screenshots of victims’ computer screens, use the victim’s webcam to spy on their physical whereabouts, record sound, grab photos and any Skype activity, file listings and files, and even iPhone backups.
In the hours after researchers published their report on Thursday, the servers conducting the spying went dark.