They call themselves Desert Falcons and are perhaps the first known Arab group of cyber criminals who have been targeting unsuspecting users in several countries in the region. Their victims cover military and government organisations and employees responsible for countering money laundering. Health and economy sectors have also come under attack in Egypt, Palestine, Israel and Jordan.
Kaspersky Labs, which detected the attacks, says Qatar, Saudi Arabia, UAE, Algeria, Lebanon, Norway, Turkey, Sweden, France, the United States and Russia are also specific targets. In the UAE, media and some government sectors have been penetrated, Khaleej Times can reveal. Kuwait is mostly safe with high security and a low infection rate.
More than 3,000 victims in over 50 countries have been hit, with over one million files stolen, say researchers. The group has been active since 2011 but attacks peaked in January this year.
‘‘The value of information lost cannot be measured be in money terms but in the amount of sensitive data that was stolen,’’ says Dmitry Bestuzhev, security expert at Kaspersky Lab’s Global Research and Analysis Team, when asked if there was a terror link to Daesh, the terrorist group that is in control of vast parts of Syria and Iraq.
The cyber security firm says they have strong reasons to believe the 30-member strong gang is of Arab origin. The Falcons deliver the malicious worm by spear phishing, through e-mails, social networks and chat messages.
The gang operated in batches and are from Egypt, Palestine and Turkey, he says.
“The individuals behind this threat are highly determined, active and with good technical, political and cultural insight. Using only phishing e-mails, social engineering and homemade tools and backdoors, the Desert Falcons were able to infect hundreds of sensitive and important victims in the Middle East region through their computer systems or mobile devices, and exfiltrate sensitive data,” according to Dmitry.
The researcher says the group has the ability to develop more Trojans using advanced techniques. ‘‘With enough funding, they might be able to acquire or develop exploits that would increase the efficiency of their attacks,” he says.
Phishing messages sent by the group contain dangerous files (or a link to malicious files) which show up as legitimate documents or applications, enticing users to click on them. One trick is to make malicious files (.exe, .scr) look like a harmless document or pdf file - a file ending with .fdp.scr would appear as .rcs.pdf.
Once in the system, they can take screenshots, log keystrokes, upload/download files, collect information about all Word and Excel files on a victim’s hard disk or connected USB devices. They can also steal passwords and make audio recordings.