Cancun, Mexico — Researchers from Kaspersky Lab have uncovered the first ever Arabic language advanced persistent threat (APT) group. Dubbed Desert Falcons, the group of thirty or so attackers — some of whom are known by name — operates out of Palestine, Egypt and Turkey and is said to have developed and deployed their wares exclusively in the Middle East. It is impossible to determine whether Desert Falcons is state sponsored.
Their arsenal consists of homemade malware tools, social engineering and other techniques designed to execute and conceal campaigns on traditional and mobile operating systems. Particularly, Desert Falcons’ malware is intended to steal sensitive information from its victims, which is then used to fuel further operations and even for extortion attempts against impacted targets.
— KasperskyUK (@kasperskyuk) February 19, 2015
The victims, according to Kaspersky Lab’s Global Research and Analysis Team, are targeted for secrets in their possession or intelligence information relating to their positions in governments or important organizations.
“More than 1 million files were stolen from victims,” the anti-malware company said. “Stolen files include diplomatic communications from embassies, military plans and documents, financial documents, VIP and Media contact lists and files.”
Desert Falcons’ attacks have claimed some 3000 victims in more than 50 countries. Most of those are located within Palestine, Egypt, Israel and Jordan, but there have also been discoveries in Saudi Arabia, the U.A.E., the U.S., South Korea, Morocco, and Qatar among other places.
Desert #FalconsAPT revealed by @Kaspersky Lab at #TheSAS2015 is the first exclusively middle eastern #APT:Tweet
The victims include military and government organizations, employees responsible for health organizations and combating money laundering, economic and financial institutions, leading media entities, research and educational institutions, energy and utilities providers, activists and political leaders, physical security companies, and other targets that have access to important geopolitical information.
Tools used in the Desert Falcons attack include backdoors into traditional computers through which the attackers install malware capable of logging keystrokes, taking screenshots and even remotely recording audio. There is also a mobile component for Android with the capacity to spy in SMS text and call logs.
Interestingly, researchers presenting on Desert Falcons at Kaspersky Lab’s Security Analyst Summit said these are among the first to use Facebook chats in targeted attacks, connecting with targets via common Facebook pages until gaining their trust and sending them Trojan files via a chat hidden as a photo.
The group began building its tools as early as 2011 and achieved its first infections in 2013, but it wasn’t until the end of 2014 and the beginning of 2015 that Desert Falcons’ activity really began to spike. It seems that the group is more active now than it has been at any point in the past.
Kaspersky Lab says its products detect and block all variants of the malware used in this campaign.