Researchers: Hacking campaign linked to Lebanese spy agency

Lebanon’s internal intelligence agency appears to have been caught spying on thousands of people — including journalists and military personnel — in more than 20 countries, according to researchers at the Electronic Frontier Foundation and Lookout, a mobile security company.

The spy operation, revealed on Thursday, is among dozens around the world uncovered by human rights groups and technical organizations in recent years as governments and intelligence agencies have started relying more on mobile and desktop spyware than on traditional forms of cloak-and-dagger espionage.

The researchers found what they said was evidence that Lebanon’s intelligence agency — called the General Directorate of General Security, or GDGS — spied on their targets’ Android mobile devices and desktop computers using various methods for more than six years. Their primary attack method, researchers said, was through a series of decoy Android apps designed to look like widely used private, secure messaging services such as WhatsApp and Signal.


Once downloaded, the apps allowed spies to steal nearly everything off their victims’ phones, including text messages with one-time pass codes for accessing e-mail and other services, as well as contact lists, call logs, browsing history, audio recordings and photos. The apps also let the spies take photos using the phone’s front or back camera, and turned the device into a silent microphone to capture audio.

Get Today's Headlines in your inbox:
The day's top stories delivered every morning.
Thank you for signing up! Sign up for more newsletters here

The apps were not designed to target Apple iPhone users.

“One of the main takeaways from this investigation is that actors, like Dark Caracal, are shifting away from a pure desktop capability for espionage to now relying heavily on mobile tools to gather their intelligence,” said Michael Flossman, a security analyst at Lookout, referring to the name that he and other researchers coined for the Lebanese spies they said were most likely responsible for the espionage.

GDGS is Lebanon’s main internal intelligence agency, and its director, Major General Abbas Ibrahim, a career army general, has a rising profile and a broadening portfolio. The agency oversees residency permits for foreigners, from diplomats and tens of thousands of Southeast Asian domestic workers to more than 1 million Syrian refugees.

The agency’s expertise and clout have traditionally been seen as stemming from its human intelligence, not from high-tech espionage techniques.


Speaking ahead of the report’s publication, Ibrahim told Reuters: “General Security does not have these type of capabilities. We wish we had these capabilities.” GDGS did not return a call for comment on Thursday.

Researchers at the Electronic Frontier Foundation and Lookout began collaborating to uncover what they believed was a likely nation-state spy campaign in 2016. That year, the Electronic Frontier Foundation released a report documenting a spy campaign against journalists and activists who had been critical of the authorities in Kazakhstan. The campaign included technology used to spy on Android users. Lookout, which focuses on mobile device security, offered to help.

Together, researchers tracked the spying to command and control servers operated by the attackers. The researchers looked at who had registered the servers and when, as well as the dates of some of the stolen content. They deduced that the campaign had been going on for as long as six years.

The attackers were targeting journalists, activists, government officials, military personnel, financial institutions, defense contractors, and others in 21 countries. Those countries included the United States, China, Germany, India, Russia, Saudi Arabia, South Korea, and inside Lebanon.