Dark Caracal and the "Bulkanization" of Malicious Tools

2018 introduced more than just another calendar year because of the identification of an Advanced Persistent Threat (APT) campaign known as Dark Caracal... A cyber espionage campaign was discovered by the Electronic Frontier Foundation and the mobile security company Lookout. Dark Caracal targeted Android mobile devices from users in 20+ countries beginning in 2012. The tremendous research done by the EFF and Lookout potentially identified the threat actor as a nation-state actor (Lebanese General Security Directorate in Beirut). Eva Galerperin, EFF Director of Cybersecurity stated:

"People in the U.S., Canada, Germany, Lebanon, and France have been hit by Dark Caracal. Targets include military personnel, activists, journalists, and lawyers, and the types of stolen data range from call records and audio recordings to documents and photos... This is a very large, global campaign, focused on mobile devices. Mobile is the future of spying, because phones are full of so much data about a person’s day-to-day life."

Now, security and IT professionals are well-aware of the existence of APTs and malware/spyware campaigns they have conducted and/or been linked to... However, Lebanon is not a common APT actor. Looking at Mandiant Fire Eye's APT groups, as an example, we can see common APTs being located in the "normal" nation-states (i.e. China, Russia, North Korea etc.)The introduction of Lebanon as a potential APT actor may seem puzzling but not surprising when we adopt my proposed concept that malicious tools are transforming into products/services just like security defense tools are. As an arbitrary example, rootkits and toolkits are more accessible to lower-tier threats (i.e. script kiddies) that can make configuration changes that result in a threat-level that rivals that of APTs. This does not undermine the severity of threat levels presented by the common APTs, rather, it sheds light on the rise and prevalence of actors that may not have had these capabilities before. Just as small firms and organizations can access security products/services that wrap their attack surfaces in a blanket (or so to speak), malicious tools that are being spread globally are giving threat actors a blanket of capability when it comes to malicious actions (since when has Lebanon been a geographic source of an APT campaign?). We've seen examples of cyber warfare/cyber attacks that occurred that were copied and altered to another individuals specifications (this is helpful for reverse engineers that identify traces of previously known attacks when identifying new ones) but, this transformation process demands a re-visit to how organizations/individuals identify threats, reduce their attack surface and try to stay "one step ahead." Maybe this presents an opportunity to leverage Artificial Intelligence and Machine Learning to foster an understanding of movement/use of these malicious tools and threat actors?Regardless of the response method, security professionals should also be aware that campaigns (like Dark Caracal) present threat actors that take the shape and form of anyone. Threats are just around the corner. It may be difficult to share this "risk averse" sentiment with organizations that are focused on achieving business objectives. But it's our job to plant the foot down to raise flags and respond where we can. Dark Caracal gathered large amounts of data from a mobile devices and mobile security is not always a sought after objective for organizations. Mike Murray, VP of Security Intelligence at Lookout Security, and Dave Bittner (producer and host of the Cyber Wire podcast) elaborate on this during a podcast aired on March 10, 2018.