Lebanon’s operation ‘Dark Caracal’ and the Shia link
BEIRUT - In the spring of 2017, San Francisco-based security firm Lookout stumbled across a major hacking operation run from Lebanon. US researchers dubbed the operation “Dark Caracal” and it would emerge as one of the most prolific cyber-campaigns documented.
The data encompassed details on thousands of people in more than 20 countries and were tracked to a nondescript building in Sami el-Solh Street in central Beirut, the headquarters of General Security.
This is the most powerful of Lebanon’s myriad security organisations and has strong connections with Hezbollah, Iran’s most prized proxy force in the Middle East, and its highly effective security branches.
On January 18, Lookout and another US security outfit, the Electronic Frontier Foundation, publicly linked Dark Caracal to General Security. This was a stunning breakthrough because it showed that Lebanon’s Shias — which for all intents and purposes means Hezbollah and thus Iranian intelligence — were far more advanced in their offensive capabilities than anyone suspected.
In 2015, the Canadian security firm Citizen Lab reported that Lebanon’s internal security services, including General Security, had acquired sophisticated German spyware system known as FinFisher.
This is sold exclusively to governments to wrest control of targeted computers and mine encrypted data and communications.
Cyber-specialists said “the mechanism used in Dark Caracal was simple. A custom-developed mobile surveillance-ware — dubbed ‘Pallas’ — was used to send phishing links leading to fake versions of popular services like Google and WhatsApp,” the Daily Star newspaper reported.
“The links were posted on Facebook groups, or sent from private accounts to fictitious, attractive Arab women.
“Once in the system,” the Beirut-based daily went on, “the targeted device would begin spying on its user, sending chat transcripts, pictures and other personal information back to the spymasters.
“Cameras and microphones could also be remotely activated to capture and send back real-time images and audio.”