Share this post

🔑 Key Takeaways

  1. EFF's Threat Lab focuses on protecting journalists, lawyers, and human rights activists globally with research and prevention of targeted threats like malware while striving for internet privacy.
  2. Journalists face real dangers when exposing corruption. Educating and equipping them with security measures is crucial to protect press freedom and uncover the truth.
  3. Targeted hacking attacks with specific objectives such as surveillance on individuals or organizations are facilitated by malware and command and control servers. The incident of government surveillance on opposition politicians in Kazakhstan highlights the need for cybersecurity measures.
  4. Kazakhstan's government outsources cyber-espionage through hired hacking teams for activities such as surveillance and phishing. Concerns arise that the government can expand its program by outsourcing, highlighting the need for increased research to combat cyber threats.
  5. Protect Your Personal Devices from Malware to Prevent the Capture of Sensitive Information by Hackers.
  6. Hackers are using convincing disguises to trick Android phone users into downloading malware, thereby spying on their messages and activity. Always confirm app downloads through verified sources to protect against this type of cyber attack.
  7. A large hacking campaign targeting individuals in 21 countries has been attributed to a nation state actor, but determining who is behind the attack and their motives is a complex process.
  8. Hackers are collecting vast amounts of personal information from people's phones, potentially through confiscation at border crossings. Vigilance is necessary to protect personal data.
  9. Wigle app can be used to collect data on all WiFi SSIDs globally, helping to track the origin of a potential cyberattack. This tracing can reveal government agencies or contractors working as cyber-mercenaries.
  10. Dark Caracal is a group of cybercriminals that offers hacking services to countries using different types of malware. Its real identity is unknown, making it a challenging group to trace and prosecute for its criminal activities.
  11. The Dark Caracal campaign showed the danger of state-sponsored cyber-mercenaries and the need for the Threat Lab to investigate spyware targeting vulnerable communities. The report exposed the reality of digital espionage and the need for antivirus companies to flag stalkerware as malware to prevent domestic partner spying.

📝 Podcast Summary

EFF's Threat Lab Protecting At-Risk Digital Users

The Electronic Frontier Foundation (EFF) has a new project called Threat Lab where they research and help stop targeted threats against at-risk populations such as lawyers, human rights lawyers, activists, and journalists around the world that are being targeted with malware or other digital surveillance techniques. This project started when EFF was representing a woman named Irina Petrushova who is the Editor in Chief of Independent Newspaper which is formally out of Kazakhstan called Respublika. Respublika had been Kazakhstan's only source of independent journalism. The Threat Lab of EFF aims to protect our civil liberties online.

Irina Petrushova's Fight Against Government and Hacker Threats to Expose Corruption

Irina Petrushova, a Kazakh journalist, was targeted by the government and hackers for exposing corruption through her independent news source. Despite threats and attacks, she continued to write and publish articles. When the government sued her for publishing leaked documents, she contacted EFF for legal help, leading to a victory for the First Amendment. But the threats did not stop there, as she and her brother received spear phishing emails with malware attachments. EFF helped her identify the malware and educate her on journalist security. The malware, called jRat, could capture audio, video, and files on the computer. This story highlights the dangerous reality faced by journalists who uncover corruption and the importance of journalist security.

Malware and Command and Control Servers Used in Targeted Hacking with a Motive

Targeted hackers have a specific objective on a target, and malware like jRat and Bandook are often used to spy on individuals or organizations. The use of command and control servers, often hosted by companies with a history of protecting illegal content, facilitates the success of such malware. The government of Kazakhstan is suspected of using these tactics to spy on individuals who post negative things about the government. While it is challenging to infer the motives of digital espionage with confidence, leaked e-mails reveal that the government has hired private intelligence companies to conduct surveillance on opposition politicians. This incident highlights the growing need for cybersecurity measures to protect individuals and organizations from targeted attacks.

Kazakhstan's history of outsourcing cyber-espionage

Kazakhstan has historically hired independent hacking teams for cyber-espionage activities. The government does not possess cyber-war capabilities but there are companies which provide the services. These for-hire hacking teams carry out activities for clients and engage in digital surveillance, data extraction missions, and spear phishing. The majority of the targets are embroiled in legal disputes with the government or are family members or associates of people involved in those disputes. The concern is that Kazakhstan can ramp up its cyber-espionage program by outsourcing it. Researchers at Lookout, a mobile security company, found some mobile malware which is talking to the same domains discovered in Operation Manul report. There is a need for more research in this area to combat the threats of cyber-espionage.

Mobile Malware Investigation Leads to the Discovery of a New Target in Lebanon and Syria

The investigation into mobile malware related to Operation Manul led to the discovery of a new target in Lebanon and Syria. The data collected from the infected computers that belong to Lebanese civilians, military personnel, and activists provided more information to the Lookout team. The investigation got interesting, and the teams decided not to publish the blog post. The relationship between Kazakhstan and Lebanon is meager. Hence, the earlier assumption that the Kazakhstan government is behind the hacking is now in doubt. The hackers could be from a different origin, and their motives remain unknown. It's crucial to protect personal devices against malware since hackers can quickly capture personal information and sensitive databases.

Mobile Malware Poses as Encrypted Messaging Apps to Spy on Users

Hackers disguised mobile malware as popular encrypted messaging applications like WhatsApp, Signal, Telegram, Tor, and Threema to spy on Android phone users. They set up a website called that had the backdoor to Trojanized copies of these apps. The attackers would lure victims into downloading the malware by sending an email or text to an Android phone saying, 'Let's talk securely, download WhatsApp from this URL, and then we can have a secure chat.' The fake version looked like the real app and could spy on users in the background, reading their messages and sending them to the command and control server. The team of Lookout and EFF analyzed the data and figured out the hacking campaign's modus operandi, thereby mapping out the world's IP addresses of all the victims.

Lookout researchers identify global hacking operation targeting dissidents and activists.

The global threat of a large hacking operation targeting dissidents, activists, lawyers and journalists is attributed to a nation state actor by the researchers at Lookout who used Diamond Model method to identify the tools and techniques used in the attack. The unsophisticated nature of the malware indicates that it is not a work of advanced nation state actors. However, the magnitude of the campaign and victims from 21 countries suggests that it is not the result of any one government acting alone. The researchers also faced challenges in publishing their report due to the ongoing hacking campaign being active and live. Attribution is a complex process that involves solving the puzzle of how, who, what, and to whom the attack was carried out.

Researchers at Lookout uncover global phone spying operation.

A researcher at Lookout discovered the hacker behind a massive operation which involved collecting 264,000 files, 486,000 SMS messages, 250,000 contacts, 150,000 call records, 92,000 browsing history URLs, 1,000 authentication accounts; username and password combinations, and 206,000 unique WiFi SSIDs. Cooper and Jack were able to gather evidence by logging all the URLs and IP addresses since the hackers left open a page called Apache Stats which shows you real-time information about the server. By analyzing the data they gathered, they speculate that some people's phones may have been confiscated at locations like airports or border crossing. They discovered the hackers were spying on people all around the world, and traced the IP addresses of people logging into the admin sections of the command and control servers to specific locations in Beirut. They also found evidence that all the first infected phones that had uploaded to the server had connected to the same WiFi network.

Using Wigle App to Trace Government-Sponsored Hacking

The team uses Wigle, an Android app that collects data on all the WiFi SSIDs being broadcast globally from phones that have the app running and sends it to the app's website. They use it to locate the origin of an SSID called BLD3F6 to a building in downtown Beirut belonging to Lebanon's intelligence agency - The General Directorate of General Security. Multiple test devices that were infected had only ever connected to this one WiFi access point. While it is not a smoking gun, it is strongly suggested that the Lebanese government is behind all this hacking. Cyber-mercenaries may work for governments as government agencies or contractors, like in this case.

Unveiling Dark Caracal: the Mysterious Cyber-Mercenary Group

Dark Caracal is a mysterious and shadowy cyber-mercenary group that sells hacking services to different countries, including Lebanon and Kazakhstan. The group uses several malware such as CrossRAT, Bandook, and Dark Caracal mobile malware to infiltrate their targets' computers. All these malware use a similar pattern of communication when communicating with the command and control servers. Prince Ali is one of the suspects and is known to have written the Bandook malware. EFF and Lookout release a report outlining Dark Caracal's activities, shedding some light on its shady dealings. The investigation shows that Dark Caracal has various potential criminal and espionage campaigns going on in different countries. It is difficult to ascertain who is behind Dark Caracal, leading to its being dubbed a real-life game of Clue.

Dark Caracal Campaign and the Creation of the EFF's Threat Lab

The Dark Caracal campaign exposed the threat of state-sponsored cyber-mercenaries targeting activists, journalists, and human rights lawyers. This research paved the way for the EFF to create the Threat Lab to investigate spyware targeting at-risk communities. The report highlighted the need for more awareness regarding lurking threats in the shadows of the internet, with the warning that corrupt governments may continue to outsource spying capabilities to cyber-mercenaries. This is a new world where citizens' personal devices can be compromised by nation-state actors, and their lives are put at risk. The Threat Lab exposed the alarming reality of digital espionage and the need for antivirus companies to flag stalkerware as malware for mitigating domestic partner spying on phones.