Episode Show Notes



JACK: [MUSIC] One of my favorite adventurous activities I used to like doing when I was younger was exploring abandoned buildings. I’ve been in abandoned schools, banks, industrial plants, churches, hotels, mines, tunnels, and office buildings. It’s pretty dangerous but I liked it. This one time I was exploring an old hospital with a friend and as we were walking through it, we heard a noise in one of the rooms. We looked inside and there was a cat sitting there, slowly waving its tail back and forth, staring at us. Right in the middle of the room was an empty cat food bowl. The cat seemed to be living there and someone was feeding it. It was strange but we kept walking down the long corridor of this abandoned hospital. We heard a noise behind us. I quickly turned around and I swore I saw a door swing closed way at the end of the hallway. But it was so far away and it was so quick that maybe I didn’t see it.

A lot of the windows were broken in this building and the wind was blowing so I just stood there in the middle of the hall and I stared down it, frozen, looking to see if any of the doors would just swing open or closed by themselves but nothing. No movement. No sound. Did I see someone or was this my imagination? This creeped us out so we went back down the hallway to leave. When we got to the room where that cat was, we looked in it. The cat food bowl was now filled but the cat was nowhere to be found. A few other doors that were open are now closed. Without seeing anyone at all, we knew for sure someone was in this abandoned building with us. They probably saw us and were watching us. We got out of there pretty quick after that and drove home. Have you ever been in a situation like this though? Where you’re positive that something or someone was there watching you but you couldn’t quite figure it out?

JACK (INTRO): [INTRO MUSIC] These are true stories from the dark side of the internet. I’m Jack Rhysider. This is Darknet Diaries. [INTRO MUSIC ENDS]

JACK: We have a big story here and there’s a lot to cover so let’s just get right into it and meet our guest. What’s your name and what do you do?

COOPER: One second.

JACK: It’s not a hard question.

COOPER: [LAUGHTER] I got to think about which name I want to use. No, no, I actually needed a drink of water all of a sudden.

JACK: Oh, okay.

COOPER: I’m Cooper Quinton. I am a senior staff technologist on EFF’s Threat Lab.

JACK: Threat Lab? There’s a Threat Lab at EFF?

COOPER: Yeah. Electronic Frontier Foundation has a new project called Threat Lab. Our mission is to research and help stop targeted threats against at-risk populations. This is like lawyers, human rights lawyers, activists, journalists around the world that are being targeted with malware or other digital surveillance techniques.

JACK: Let’s back up here for a minute. The EFF is the Electronic Frontier Foundation. It’s a non-profit organization and it has a goal of protecting our civil liberties online. We have them to thank for standing up for us when our digital rights are being threatened. It’s a great group of people, full of [00:05:00] lawyers and activists and researchers, and Cooper here is working with them in their Threat Lab. But the Threat Lab is actually a brand-new thing within the EFF and there’s an interesting story about how all that came to be and it all starts with Operation Manul?

COOPER: Yes, Operation Manul.

JACK: What’s a manul?

COOPER: It’s named after the manul cat, or Pallas cat which is native to the steps of Kazakhstan.

JACK: Okay, so there’s a cat on the steps of Kazakhstan.

COOPER: It’s a really expressive amazing cat and I highly recommend looking up pictures of the manul.

JACK: This is great. There’s like, exotic creatures and places in this story already. I love it. Go on.

COOPER: Operation Manul started when the EFF was representing a woman named Irina Petrushova who is the Editor in Chief of Independent Newspaper which is formally out of Kazakhstan called Respublika. Respublika had been Kazakhstan’s only source of independent journalism.

JACK: Right. Here’s the first person of our story, Irina Petrushova. Not only is she a reporter for Respublika but she’s also the founder of this independent news source in Kazakhstan. Specifically, she was writing stories and doing reporting on the corruption that goes on within the government of Kazakhstan. There were a series of financial scandals that she wrote about and the president often hires family and friends to fill certain roles even though there are people much more qualified and willing to fill those roles. You should know a little about the President of Kazakhstan. This is the first President of Kazakhstan ever. He came to power in 1990 and he stayed there until he retired this year. Yeah, there were ‘elections’ but they didn’t appear to be free or fair at all. Some even go so far as to say Kazakhstan is an authoritarian regime. When Irina published articles exposing the corruption of this authoritarian regime, somebody really didn’t like this and wanted to do everything they could to keep Irina quiet.

COOPER: [MUSIC] Okay, so first they kill her dog and leave the head of the dog at the front door of the building where they published Respublika from.

JACK: Jeez.

COOPER: Then they leave a human skull in front of her office building with a note pinned to it saying, “There will be no next time.” Then they followed that up with fire-bombing her office. The office burned to the ground and that’s when she finally left Kazakhstan.

JACK: She fled the country and moved to Russia. She thought maybe the government of Kazakhstan was behind these personal threats but she didn’t stick around to find out. She was scared for her life. But she continued to write for Respublika and publish articles about the government of Kazakhstan and one day a big story showed up.

COOPER: This giant dump of e-mails appeared online on a website called Kazaword. [MUSIC] These were e-mails leaked from Kazakhstan’s government from Kazakhstan’s president.

JACK: When this giant dump of e-mails showed up on another website, Irina published stories about it. The Kazakhstan government was very upset again with Irina and decided to try to silence her.

COOPER: The government of Kazakhstan sued Respublika and Irina Petrushova in New York district court, claiming that they were responsible for this Kazaword dump of documents and tried to get their – Respublika’s reporting on this dump of documents taken down from the internet.

JACK: The case gets under way in New York. Irina needed some help with this.

COOPER: At this time Irina contacted us for legal help and we started representing her in court because this would obviously be a violation of the First Amendment.

JACK: Yeah, it is a violation. Journalists are allowed to publish documents that are factual in nature. This judge looked favorably on Irina and the EFF and said Respublika does not need to take down the articles about the leaked e-mails which was a victory for Irina and the EFF, and perhaps historically the EFF would have stopped there and that would have been the end of the case. But the EFF has a new interest in malware that is associated to things like this now.

COOPER: At that same time, she and her brother who is also an editor started receiving spear phishing e-mails which were designed to look like they were coming from other activists in Kazakhstan and human rights lawyers working with Kazak people. The spear phishing e-mails contained attachments that looked like Word docs or PDFs but which were, in fact, malware.

JACK: One of the things the EFF does is educate people on the dangers of being a journalist that might be a target for hackers.

COOPER: Yes, exactly. We had given her some security training and when she got these e-mails, she thought they were a little bit suspicious. She sent them to us. [00:10:00] We started looking at them quickly, figured out that the attachments were malware, and then started taking apart the malware to figure out what might be the source of this.

JACK: This team from EFF started investigating these Word docs and PDF docs. They found that when you open these attachments it will go download a piece of malware called jRat.

COOPER: You imbed an exploit in a PDF or a Word doc that the person opens and then that exploit goes and downloads and installs jRat. Then once jRat is running it can do a lot of different things. It can turn on your camera, it can capture your screen, it can record audio ambiently in the room, it can go through your files on your computer and create files or delete files or download files. You can spawn a shell to remotely run commands on the computer, and a bunch more stuff. The neat thing about jRat is that it works on Windows, Linux, and Mac computers.

JACK: The Rat part of this jRat malware stands for Remote Access Trojan which means when a user gets infected with jRat the hacker can then remote control that computer, allowing them to download stuff or interact with that computer. At the time you could buy this piece of malware at jrat.io for about forty dollars in Bitcoin. This wasn’t a sophisticated or expensive piece of malware at all. But a few more e-mails came in with more attachments and a second piece of malware which also was discovered called Bandook.

COOPER: Specifically, Bandook was developed by a guy who goes by the name Prince Ali.

JACK: We’ll learn more about Prince Ali later but Bandook did a lot of the same things that jRat did. Now, as Cooper and the team at EFF discovered this, they knew they were dealing with something more serious.

COOPER: [MUSIC] The first reaction is like wow; we really have something here. This isn’t just crimeware. This isn’t somebody trying to steal her credit cards. This is actually somebody trying to undertake digital espionage, right, this is somebody actually trying to spy on her.

JACK: See, there are a few types of hackers out there; there’s the common crimeware hackers which usually are a spray-and-pray kind of hacking. They’ll just scan the whole internet looking for vulnerabilities or they’ll send out thousands of phishing e-mails. But then there are the targeted hackers. These people have a specific objective on a target. Because these phishing e-mails were crafted just for Irina personally, and the malware wasn’t like a Bitcoin miner or ransomware or anything, then this likely means somebody was actively trying to spy on her. It’s scary and dangerous to be the target of a hacker like this.

COOPER: We inform her and she informs her friends and her family and her staff. They start sending us more suspicious e-mails. We get a bunch and we get a bunch that all contain jRat or the other malware called Bandook.

JACK: Her brother started getting phishing e-mails, her family, other people at Respublika, and she was getting more e-mails too. This was getting more serious now.

COOPER: [MUSIC] We started looking into the malware and we find the command and control servers. These are the servers that the malware actually talks to. These are the servers that the malware sends any files that it gets back to. Basically, these are the servers that let the person running the malware tell the malware what to do.

JACK: With malware like this, there’s often an intermediary computer that files are staged on, uploaded to, and connections are made. That’s what this command and control server is. When you open a PDF, your computer will then download the malware from that server and when you get infected, your computer will upload data to that server. You need the server in order for the malware to be successful. The team at EFF discovered eight different domain names used by this malware and two different command and control servers. Each of them were hosted by companies notorious for hosting possibly illegal content and protecting its users. Yeah, again, this doesn’t seem like your typical crimeware.

COOPER: We figured that at least the people who were going after Respublika and after Irina Petrushova were likely doing this on behalf of the government of Kazakhstan. The government of Kazakhstan is clearly after her. They’re clearly very upset with her for posting negative things about the government.

JACK: But see, it’s hard to tell for sure. There just isn’t any smoking gun. It’s kind of like a puzzle where most of the pieces are all together and you can pretty much tell what the puzzle’s going to look like but you still need that final few pieces to really know for sure. Okay, remember those e-mails [00:15:00] that got leaked which were the official Kazakhstan government e-mails? One of them stood out to Cooper.

COOPER: One of the things we learned from the dump of e-mails is that the President of Kazakhstan had taken out a contract with a private intelligence company called Arcanum Global Intelligence to perform what they called a surveillance data extraction and full spectrum cyber-operation mission to surveil Kazakhstan’s only opposition politician whose name is Ablyazov. His last name is Ablyazov.

JACK: We just got started. We haven’t even got to the good stuff yet and already I’m just blown away by the magnitude this whole thing is.

COOPER: Oh, it’s crazy. This is the deepest rabbit hole I’ve ever been down.

JACK: Okay, so there’s sort of a smoking gun that says Kazakhstan has historically hired independent hacking teams to spy on the enemy.

COOPER: The interesting thing and sort of the thesis that I want to get at is that it’s not that Kazakhstan has any cyber-skill. I hate using that word but let’s go with it.

JACK: Okay.

COOPER: It’s not that they have any – I’m sure there are many fine hackers in Kazakhstan, right, but the government does not have a cyber-war unit. They don’t have what is it, Israel’s…

JACK: 8200? Mossad?

COOPER: Yeah, 8200, exactly. But what they have is companies that do have this capability that are more than happy to sell it to any nation state that will pay.

JACK: These for-hire hacking teams really fascinate me and that’s something I’m gonna have to dig into for a future episode because there are a lot of groups like this which will carry out hacks or spying or doing signals intelligence for clients.

COOPER: Because we know this is something that – digital surveillance, digital extraction missions, is the term they use, we know that that is something Kazakhstan is interested in. All of that spear phishing e-mails seem to demonstrate a pretty good knowledge of Kazakhstan; of politics in Kazakhstan and what might entice Kazak activists to click through and open e-mails. The majority of the targets that we found were either embroiled in legal disputes with the government of Kazakhstan or are the family members or associates of people involved in those disputes. We feel like we have a pretty good link to Kazakhstan although no – it’s all circumstantial evidence.

JACK: They also discovered some malware activity on mobile phones. What they found were…

COOPER: Files that looked like they were uploaded from mobiles phones which led us to believe that there was probably a mobile component to this campaign, although we never actually found, at the time of publishing, we never found the mobile malware.

JACK: Eva Galperin was also a big part of this research. You might know her from Twitter as @evacide. Cooper and Eva put this data together and put it in a report called Operation Manul. Again, manul being a native cat to Kazakhstan, and they just like cats so why not? The report was published and they gave a presentation at Black Hat, a big security conference in Las Vegas.

HOST: Our talk today is presented by Cooper Quinton and Eva Galperin. [APPLAUSE]

EVA: Hi there. Welcome to When Governments Attack, also known as I Got A Letter from the Government the Other Day Because I Couldn’t Resist A Public Enemy Reference. We’re gonna be talking a little bit about…

JACK: People were a little freaked out with this report, concerned about how easy it is for Kazakhstan to ramp up a cyber-espionage program by outsourcing it. People wondered how far does this spying go? At the end of the Black Hat talk, Eva said…

EVA: I’m fairly certain that Cooper and I are less good at this than many of the people who are in this room right now. I beg you to go look at our report and see the many loose ends that we have left, the many areas in which more research is needed. It would not be that difficult for people with more skills than us and more resources than us to be helpful.

JACK: [MUSIC] This call for help worked. A few new people saw this report and looked into it and found some things that they could help with. When we come back, we’ll hear what they found.

COOPER: Unbeknownst to us, two researchers at Lookout, the mobile security company, took an interest in this report. Specifically, they took an interest in the part of the report that said we believe that there are [00:20:00] mobile components to this based on exfiltrated mobile files that we found but we weren’t able to find the samples. Lookout, being a mobile security company, has a big database of mobile malware and of the samples and of the domains that they’ve seen, the malicious domains that they’ve seen. Mike and Andrew, the researchers at Lookout, start coming through their database and after a little while they find some malware which is talking to the same domains that we had discovered in the Operation Manul report. [MUSIC] At this point they reach out to us and they say hey, we have this interesting mobile malware. We would love for you guys to take a look at it. We think that it’s related to Operation Manul.

JACK: The team at Lookout called this mobile malware Pallas, P-A-L-L-A-S, which is the other name for the manul cat. They decided to get together and come to an agreement.

COOPER: Our arrangement was okay, they will look into the mobile malware. We will sort of consult with them and think, write a blog post together, and think about what this might mean geopolitically.

JACK: The team at EFF and the team at Lookout, they team up and they find a couple of new things related to this whole campaign.

COOPER: We were about to publish a small blog post saying hey, we found some more mobile malware related to Operation Manul. Here it is and that’s all, folks. When I remembered that several months ago when I was researching Operation Manul, we had found all the uploaded files from the malware, from people’s infected computers on the command and control servers.

JACK: When Cooper was investigating Operation Manul, he watched how the malware behaved and he noticed that it does things like take screenshots, and then uploads that to the command and control server. It puts them in a specific directory. Well, it just so happens that that directory was visible to anyone on the internet.

COOPER: In other words, the data was in a location on the file system that you could visit with a web browser without authentication or anything, without even an index file that would hide the file names. One of the servers was example.com and you would go to example.com/forwardlettercampaignid/pictures and you would see the list of every picture that had been uploaded by that infection.

JACK: Whoa, this is a big deal. Cooper had the ability to view and download all the data that this hacking crew had stolen from its victims. This is what Cooper used to build his report on but forgot to mention it to the Lookout team until just now.

COOPER: I went to Lookout. They said oh hey, do you think that it might be useful to look at some of this exfiltrated data? Their jaws dropped and they were like are you kidding me? Yes! Why didn’t you say this months ago? Yes, Jesus, give us the URLs. This was like, two days before we were gonna publish this little blog post, right. I showed them the data. We started looking at the data and we were like oh wait, there’s actually something much bigger going on here. This looks like a totally new target.

JACK: It was a target that wasn’t Kazakhstan-related, is that what you’re saying?

COOPER: Exactly. It was a target that wasn’t Kazakhstan-related. We start downloading all the data that we could find and we end up with several gigabytes’ worth of data. It’s pretty similar data from what we got before; audio recordings, video recordings, files, but we also found SMS messages, call records, WhatsApp, Telegram, and Skype databases, and WiFi details.

JACK: This data provides the Lookout team a lot more information to investigate but not only that. There appears to be more victims since the report was published. The teams decided not to publish a blog post because the investigation just got a lot more interesting.

COOPER: Exactly. That’s exactly what happened. This is way bigger than what you’re looking at. We start looking into this new data and we quickly discover that most of the infections are infections of people in Lebanon [MUSIC] or on the border of Lebanon and Syria. Looking through it, it appears to be mostly Lebanese civilians. There’s also some military people in there, there’s some activists in there, just a really wide swath of Lebanese society.

JACK: Okay. [00:25:00] When you see okay, Lebanon; this is getting bigger. What is going through your mind now?

COOPER: Yeah, so now it’s a real mystery because previously we had assumed that this was the work of a company working on behalf of Kazakhstan, right? But why would the government of Kazakhstan be spying on Lebanese civilians?

JACK: What’s the relation between Kazakhstan and Lebanon?

COOPER: There’s not much of a relationship, actually. Or vice versa, if this is the Lebanese why would they be spying on Kazak citizens?

JACK: Hm. This is kind of blowing the theory now that the hackers behind this might be from the Kazakhstan government. All of a sudden, the motives and signals just don’t add up. The teams keep analyzing the data, poring through gigs of photos and text messages and e-mails and keystrokes and WiFi hotspot data and more. Everything this malware would upload to the server the team would then download and take a look at it. Then they found another victim; a Vietnamese cigarette importer and this confused them even more. Around this time Lookout positively identifies the mobile malware being used in this hacking campaign.

COOPER: The malware itself is pretty standard spyware stuff.

JACK: Typical spyware mobile malware will enable the microphone, copy text messages, e-mails, turn the camera on, read your private messages, that sort of thing.

COOPER: But what’s interesting about it is that it is masquerading as encrypted messaging applications. The malware is disguised as copies of WhatsApp, Signal, Telegram, Tor, and Threema. The attackers have actually set up a website called secureandroid.info that has the back door to Trojanized copies of all of these apps.

JACK: Doing a little bit more investigation, the teams figured out how this whole thing went down. [MUSIC] The hackers would send an e-mail or a text to an Android phone user saying hey, we need to talk but let’s do it in a secure way. Download WhatsApp from this URL and then we can have a secure chat. The link to download the app would be to the hacker’s version of WhatsApp.

COOPER: The really interesting thing is these were all, in addition to being spyware, working versions of the app still. When you downloaded this fake version of WhatsApp or this fake version of Signal you would be able to use it like the real version of WhatsApp or of Signal but it would also be spying on you in the background, decrypting your encrypted messages, and sending them to the command and control server.

JACK: The teams at Lookout and EFF kept seeing more and more data being uploaded to the command and control servers which gave them so much more stuff to go through. They were seeing many more than six domain names that were being run by this hacker crew.

COOPER: We found over twenty domains that were connected with this campaign. The domains were things like adobeair.net, tweetsfb.com, of course secureandroid.info which is hilarious to this day because all it had was insecure android. Arablivenews.com, and the one I mentioned before, axroute.com, skypeupdate.com, and a bunch more.

JACK: Each of these sites had a different purpose in this attack. For instance, secureandroid.info was where e-mails would point the victim to download the malicious program and tweetsfb.com had exact replicas of the Twitter and Facebook login pages which were probably used to trick users to enter their username and password in order to steal their logins. Some of these other domains were used to upload the stolen data to. The whole time, tons more victims are being hit with this which means tons more data is being uploaded to these servers, data which Cooper and the team can see.

COOPER: We find just a massive amount of data. We found 81 gigabytes of data just on adobeair.net.

JACK: Oh my gosh. It’s all adding up in my head now. You have behind the scenes access to all the files these hackers are stealing and it’s tons of data and it’s very sensitive, private stuff. Are you downloading it all and looking at it?

COOPER: Yeah, and I’ll tell you Jack, it’s heavy stuff to look at because you have to look through all this data to figure out who the victims are, who the threat actors are. You’re really looking through people’s very [00:30:00] personal data. You start looking through the pictures uploaded from people’s phones and you see pictures of people’s kids and pictures from war zones. You have to find ways to look through all these things to try to figure out what’s going on here and try to figure out are these victims related to each other in some way? Why are they being spied on? It’s awful. You feel like a terrible human being and you have to stop.

JACK: The team combs through the data photo by photo, text by text and they would piece together the puzzle. They would figure out how the victim got infected by looking for suspicious text messages of people asking them to download an app. They’d try to find info on this victim like where they are in the world and what their job was, and why they might be the target for this kind of spyware attack.

COOPER: Exactly. At some point what we did was just started to write a script that would take the IP addresses of all the victims and map them out in the world.

JACK: [MUSIC] Using GeoIP Lookup tools you can see what city that IP comes from in the world. The map they made displayed victims being all over the world, not just Kazakhstan and Lebanon but so many more countries.

COOPER: In this map we’ve got victims in Lebanon, Kazakhstan, the United States, China, France, Germany, India, Italy, Jordan, Nepal, the Netherlands, Pakistan, the Philippines, Qatar, Russia, Saudi Arabia, South Korea, Switzerland, Syria, Thailand, Venezuela, and Vietnam.

JACK: Holy cow.

COOPER: All over the world.

JACK: How many countries is that?

COOPER: We found victims in a total of twenty-one countries all over the world.

JACK: Okay. At this point it’s a global threat. What are you thinking at this point?

COOPER: At this point we’re thinking wow, whoever this is, they have a really large operation going on here. It’s starting to seem less and less likely that this is the work of any one government directly. What one government would have an interest in spying on so many different people in so many different countries, yet have such low-tech hacking tools and techniques?

JACK: Good point, yeah.

COOPER: Such bad operational security, right. You can think of several governments that might have interest in spying all over the world; Russia, China, the US, Israel. But they all have fantastic hackers working for them. They wouldn’t be caught dead with such an amateurish operation.

JACK: Trying to figure out who’s behind this attack is hard. But there’s one method you could use to try to figure it out and it’s called the Diamond Model. Picture a shape of a diamond in your head. It has four points, right? Well, each point represents one piece of the puzzle. Who did it, how did they do it, who did they do it to, and what tools did they use to do it? In this case we don’t know who did it but we do know the rest. How they did it was using the malware that was found. Who they did it to, well, there’s a list of victims around the world, and what they used was twenty different domains and a couple command and control servers. This is sort of like algebra and you want to solve for who’s doing the hacking. We know three of the parts of the puzzle and just knowing that helps us narrow this down a lot.

Since the victims were all dissidents, activists, lawyers, and journalists, and the point of the malware was simply to spy on these people, we know it’s probably not a profit-driven hack. You rule out common criminals. Then you can start assuming this is a nation state actor carrying out these attacks because who else would want to spy on activists and journalists exposing corrupt governments? But because the malware and tools are not that sophisticated and they didn’t secure their command and control servers very well, it doesn’t seem like a very good group of hackers which kind of rules out the more advanced nation state actors. This is the sort of path that you go down when you try to figure out who’s behind something like this. This is called attribution. [MUSIC] I mean at some point, is it hard to sleep at night while you’re researching this? Digging into the back door of a threat actor’s server and then seeing the size of this, you can’t just lay down and go to bed like a baby.

COOPER: Oh, no. No, this definitely took up all of my brain space, all of my time, all of my thinking power for several months while I was working on it. There was really nothing else. Yeah, sleeping [00:35:00] and thinking about who might come for us once we published this report was [inaudible].

JACK: As the team at Lookout was putting this report together, they realized a problem. This whole hacking campaign was still active and live and if they published this report it might mean that other people could figure out where this command and control server was and then they could see all the sensitive stuff that was stolen from the victims. Michael, the researcher at Lookout, e-mailed the hosting provider where the server was being hosted from and informed them of this hacking going on and asked them to take the server down. But the hosting provider protected their users and instead of taking the site down, they forwarded the e-mail to the hacker. The hacker read this and e-mailed Michael at Lookout denying the whole thing, saying that their software does not contain any malware and asked why they thought it was malicious. Michael e-mails the hacker back.

COOPER: And said hey, maybe you’ve gotten hacked and your domain has been infected. We’d love to take a look at it and help you fix your security on your website.

JACK: A bit cheeky but okay, I get it. But no response from the hacker.

COOPER: A couple of days later when we’re looking at one of the infection URLs that we had previously found, we find that the URL has been replaced with a web page that says, “Hi Michael.” Michael being the name of the researcher at Lookout that had e-mailed them.

JACK: Oh, interesting. The hacker knew that Michael was onto them but the hacker kept hacking and didn’t secure their site. It’s like they didn’t care if they were being watched.

COOPER: The other amazing thing that they had left open is they left open this page called Apache Stats which shows you in real-time the logs of the server. It shows you in real-time every URL that’s being visited and the IP address that’s visiting that URL. We started logging all the URLs and logging all the IP addresses and through that we were able to get the IP addresses of the people visiting the admin URLs for the server.

JACK: [MUSIC] Now this is getting good. Knowing the IP addresses of who’s connecting as an admin to the server will possibly give them a sense of what region in the world these hackers are in. By this point the EFF and Lookout teams have gathered so much evidence and information from this hacking crew. Here’s a list of the stuff they gathered.

COOPER: 264,000 files, 486,000 SMS messages, 250,000 contacts, 150,000 call records, 92,000 browsing history URLs, 1,000 authentication accounts; username and password combinations, and 206,000 unique WiFi SSIDs.

JACK: Hackers had collected all this information from their victims and the teams at EFF and Lookout scraped all this data from that website and analyzed it. This is a massive amount of information to analyze. They had to build new tools to help categorize and organize the data. While looking at this data, some of it suggested that the phones may not have been infected through phishing since there were no phishing text messages or e-mails. Instead some people’s phones appear to have been confiscated like at a border crossing or an airport because after that, the phone would then become infected and the first text messages uploaded to the hacker’s servers were things like ‘I just got my phone back.’ With all this information collected, the EFF and Lookout teams decided to switch their attention to try to figure out who’s behind this.

COOPER: We start by looking at the IP addresses of the people that were logging into the admin sections of the command and control servers. Looking at those IP addresses, they were all from Ogero Telecom which is owned by the government of Lebanon. Geolocating those IP addresses, they were specifically located in Beirut in the museum district in the sort of downtown Beirut. We were a little bit stuck there. We were like, why would people in Lebanon be spying on – I mean, it makes sense why they’d be spying on Lebanese people. Why would they also be spying on Kazak people? Why would they also be spying on Vietnamese people and all of these other campaigns?

JACK: So many questions at this point but they’re so deep into this, they wanted to solve this mystery. They looked for more clues. One of the things this malware does is track what WiFi networks the phone has connected to. One of the guys from Lookout decides to lay out all the WiFi SSIDs on a heat map which is like a spreadsheet to see if any infected phones had connected to the same SSIDs.

COOPER: When we graphed them out, we [00:40:00] saw one big cluster of phones connecting to several different WiFi access points. Then one little cluster where a few phones, a few different infected phones, had all connected to the same WiFi access points. [MUSIC] We looked at those phones deeper and we discovered that they were all the first infected phones that had uploaded to the server.

JACK: They looked at the data that these first infected phones had sent to the command and control server and it all seemed like dummy data, like they were test text messages and test e-mails, and testing the downloading of infected apps.

COOPER: We looked at those test devices and they had all connected to this WiFi called BLD3F6 which we took to mean possibly Building 3, Floor 6.

JACK: Okay, so the team has a WiFi SSID, BLD3F6, and would like to know where in the world this SSID is being broadcast. You know what? There is a way to figure that out. There’s an Android app called Wigle, W-I-G-L-E, and hundreds of thousands of people install it and then drive around your town, your neighborhood, your street, and map out every SSID that’s being broadcast. This data is then uploaded to Wigle’s website for everyone to see. If you have an SSID and want to know where it is in the world, you can cross-reference it with this website to find its location.

COOPER: We looked up the access point in Wigle and the access point is also in downtown Beirut in the museum district, [MUSIC] centered near this big orange building and the French cultural embassy, and a museum, and a college.

JACK: Whoa, these clues are really stacking up now.

COOPER: We wanted to find out more. We wanted to find out exactly where this was. We sent somebody to Beirut to actually put boots on the ground and use a wireless antenna and figure out exactly what building this WiFi was coming from.

JACK: [MUSIC] Jeez, wow. This is a spy mission now.

COOPER: Yes. Yes, suddenly this has turned into a international espionage mission. What that person found was that BLD3F6 was coming from the big orange building.

JACK: That big orange building was in the museum district in downtown Beirut, Lebanon.

COOPER: Which by the way was the only building around with six or more floors. It’s the headquarters of Lebanon’s General Directorate of General Security.

JACK: Whoa. The Lebanese General Directorate of General Security is one of Lebanon’s intelligence agencies. Its job is to collect intelligence to ensure national security and public order.

COOPER: Exactly. What we have now is a bunch of test devices that had only ever connected to this one WiFi access point and no other phones that were infected had connected to this access point. This access point was in a building belonging to the General Directorate of General Security. GDGS is like Lebanon’s FBI, CIA, and NSA, and border patrol all rolled up into one.

JACK: While it’s not a smoking gun, it strongly suggests that the Lebanese government is behind all of this hacking.

COOPER: If you remember earlier, I said that one of the pieces of malware used in this was written by a hacker named Prince Ali.

JACK: Oh yeah, I do remember. Prince Ali wrote the Bandook malware you found earlier. I remember because Prince Ali is also the fake name Aladdin uses in the movie.

COOPER: Prince Ali is based in Lebanon and we know that, if you remember way back many years ago, when the hacking team e-mails were leaked by Phineas Phisher…

JACK: I’ll have to cover Hacking Team more in another episode because it’s a good story. But for now, just know there’s a company calling themselves the Hacking Team and they’re hackers for hire, essentially. They often work for high-profile clients like government agencies and one day someone hacked into Hacking Team and exposed a lot of e-mails, letting us know what goes on in that company.

COOPER: One of the people that shows up in those e-mails is Prince Ali applying for a job at Hacking Team.
[MUSIC] Another thing that shows up in those e-mails is Lebanon trying to hire Hacking Team to do some hacking, and Kazakhstan trying to hire Hacking Team to do some hacking.

JACK: Huh. If I’m putting these pieces together, Ali may have gotten a job at Hacking Team.

COOPER: Well, this isn’t really Hacking Team’s MO.

JACK: Yeah.

COOPER: We think that Hacking [00:45:00] Team rejected Prince Ali and he or somebody else that knows him has started their own full-service hacking company. They will deploy the malware, they will run the servers, they will get the data, they will do the hacking, and they will write the reports for you.

JACK: Wow. The evidence is suggesting that the Kazakhstan and Lebanese governments both hired the same crew to do spying on behalf of the government. Maybe Prince Ali is one of the members of this crew. Perhaps hiring contractors like this gives the government an easy out to deny their involvement, like hacking by proxy. It’s crazy. Is there a name for someone who does this?

COOPER: I’ve been trying to popularize the term cyber-mercenaries. I really want to convey just how shady these companies are and I feel like cyber-mercenary kind of does that.

JACK: I’m starting to think Prince Ali is the common thread to all this. Figure out who he is and who he’s working for and everything will unravel.

COOPER: What we know after this campaign is that somebody was doing hacking on behalf of both Lebanon and Kazakhstan. Some of that hacking took place directly out of the Lebanese GDGS offices. One of the malware authors is Lebanese.

JACK: They also have a list of who the victims are and what kind of malware was used here.

COOPER: Those are the facts that we have. The picture that we’ve put together from that; this is a new company who has contacts with the GDGS but also was able to figure out contacts with Kazakhstan and also has some other potentially crime campaigns going on or potentially other espionage campaigns that’s going on Vietnam, and has also victims in the US and in other parts of the world.

JACK: Let’s not forget that the leaked government official Kazakhstan e-mails show that the government of Kazakhstan was working with Arcanum, a hacker group for hire, or a cyber-mercenary group, and they also tried hiring the hacking team to do work. It’s now known that Kazakhstan does do stuff like this and perhaps Prince Ali got a contract with GDGS and demonstrated to them on the sixth floor how he can hack into their phones and that’s why they were the first targets. Then this malware has sort of a self-service feature to it so clients can just go log into the command and control server and see what’s been uploaded. That’s why the logins all seem to be coming from this orange building in downtown Beirut. At this point the teams at EFF and Lookout feel like they’ve collected enough new information to publish not just a blog post but a forty-nine-page report outlining all of this. They called that report Dark Caracal.

COOPER: Caracals are another cat. Specifically, the caracal is native to Lebanon and we called it Dark Caracal because this whole thing is such a mystery. It’s all very dark and mysterious. We don’t know. Really, in the end, we don’t know who is behind this. We don’t know anything about this. What we presume is a company that’s selling this service to all of these countries, we just know – we see the shadows of it but we can’t look directly at it.

JACK: It just seems so big and shadowy.

COOPER: Oh, yeah. Yeah.

JACK: To try to put a perspective on it, it’s so difficult ‘cause it’s just so hidden and you only get a couple tent poles here and there that you see but you don’t really get to see what’s under the tent.

COOPER: Exactly, yeah. There’s so much more that I want to know. For example, Prince Ali wrote Bandook and Bandook has a very specific signature in the way that it communicates with the command and control server.

JACK: Okay.

COOPER: It always uses plain text beginning with three @ signs and then tildes to separate each field of data. When we looked at the mobile malware which we called Dark Caracal, and when we looked at another brand-new Rat that we found in researching Dark Caracal, this looks very similar to jRat but it looks like somebody took a stab at writing from scratch their own version of jRat. The interesting thing is that CrossRAT, Bandook, [00:50:00] and the Dark Caracal mobile malware all use the same scheme to communicate with the command and control servers.

JACK: Yeah. That’s another big clue, I’d say.

COOPER: They all start with this @ symbol and then they all have their fields separated by a tilde, an exclamation mark, and they have very similar fields to each other. It looks like the same person wrote all of this malware and we know that Prince Ali wrote Bandook.

JACK: This is like, do you remember playing the game Clue?

COOPER: Oh, yeah. Oh, absolutely. It’s like a real-life game of Clue. [MUSIC] We released the report. We talked to a number of journalists. Specifically we talked to some journalists at the Associated Press who are some of the bravest journalists I know because they actually went to the GDGS headquarters, confirmed that the BLD3F6 WiFi access point was there at the headquarters, and then knocked on the door of the headquarters and demanded that the GDGS respond to the allegations in this report. GDGS told them to go away, that they didn’t have any comments except that it was probably all fake. The next day the AP reporters went back and the BLD3F6 WiFi had mysteriously disappeared.

JACK: The AP reporters kept pushing GDGS to make a comment about this report. The Director Major General of the General Directorate of General Security responded.

COOPER: Basically, the Director of GDGS said we didn’t do any such thing as is implicated here in this report. Even if we had, it would have been all entirely legal and for the good of the country of Lebanon. Furthermore, this is clearly a CIA or Mossad plot to defame Lebanon. I’ve been accused of many things but this is the first time I’ve been accused of being a CIA and Mossad shill.

JACK: The news of this Dark Caracal campaign was pretty important. This hit all the major news outlets and it was a big deal to discover.

COOPER: Yeah, so we gave a presentation about this at ShmooCon in Washington, DC.

JACK: And they gave a presentation at the Kaspersky Summit in Mexico where they had all four of the people from the team to give the presentation on stage there.

COOPER: The core team that researched this, the core four authors, were myself and Eva. On the Lookout side, Mike Flossman and Andrew Blaich.

JACK: [MUSIC] After seeing the success of this research from Cooper and Eva, this paved the way for EFF to create Threat Lab. There clearly is a need for more research to be done into the spyware that’s targeting at-risk communities and activists. Research like this helps us all become more aware of the threats that are lurking in the shadows of the internet. I don’t think this Dark Caracal hacking crew is anywhere close to being done. I think this is the new world we face where corrupt governments are treating activists and journalists and human rights lawyers as the enemy to the country. It’s becoming easier than ever for a country to just ramp up its digital spying capabilities by outsourcing the job to cyber-mercenaries. If this report blew the cover for this hacking crew, the government could just hire the next one in line and start over. Whatever is going on, it’s just out of focus, just out of reach. We have this illusion that our computers and phones are safe but when a nation state actor becomes your personal threat actor, your life is anything but safe. I think the internet and computers are the most magical and amazing things I’ve ever experienced. I’m deeply in love with it all. Stories like this remind me that the owls aren’t what they appear to be. When you look down the long Ethernet cable into the dark part of the net, the darknet sometimes looks back.

JACK (OUTRO): [OUTRO MUSIC] You’ve been listening to Darknet Diaries. Thanks so much to Cooper for sharing this story with us. You can follow him on Twitter at Cooper Q to see so many more interesting things that the Threat Lab is doing. Also big thanks to Eva Galperin, Andrew Blaich, and Michael Flossman for the research that went into this report. It’s amazing, great stuff. Oh, and another thing that came out of this Threat Lab at EFF was that Eva Galperin has called for antivirus companies to flag stalkerware as malware. This is like, commonly acquired software that’s used to target domestic partners to spy on everything they’re doing. So far Kaspersky and Lookout [00:55:00] have agreed and are now flagging this as malware. We have the EFF to thank for help mitigating stalkerware on phones. The Threat Lab also has an investigative journalist, Dave Maass, who’s looking into whether there’s any unlawful spying going on in law enforcement.

Clearly the team in the EFF Threat Lab is doing amazing work at investigating and exposing various kinds of spyware and their efforts are making us more aware and safer as a society. Their work is far-reaching and impactful and let me emphasize EFF is a non-profit digital rights organization so if you think their work is valuable, consider becoming a member and donating to help their cause, or you can help the EFF by simply giving some of your time. Go to eff.org/darknetdiaries to learn more. Oh, and if you want to hear another story from the EFF, check out Episode 12 of this podcast where I go over their involvement in the Crypto Wars. This episode is created by me, the cyber-toothed tiger, Jack Rhysider and the editing in this episode is done by the dark Damienne. Theme music is by the shadowy Breakmaster Cylinder. See you in two weeks.



Transcription performed by LeahTranscribes