'Dark Caracal' operation blamed for the hacking of thousands of victims in 21 countries

A hacking operation that has been dubbed 'Dark Caracal' is responsible for stealing private data from thousands of individuals and businesses from more than 21 different countries starting in 2012, according to research by Lookout and Electronic Frontier Foundation (EFF) released last week.

A joint report from the organisations revealed that the spying operation has targeted a range of different platforms but focused on mobile devices, using Android malware called Pallas to steal hundreds of gigabytes of data.

In order to gain access to victims devices, the hackers used phishing techniques to install 'trojanised' versions of messaging apps such as WhatsApp and Signal. Once installed, the Android malware can be used to collect a range of sensitive information including call logs, photos, messages, audio recordings, location data and more.

The professions of victims duped by the operation are incredibly wide-ranging.

"Thus far, we have identified members of the military, government officials, medical practitioners, education professionals, academics, civilians from numerous other fields, and commercial enterprises as targets," the report explained.

What is Dark Caracal?

Dark Caracal is described in the report as having "nation-state level advanced persistent threat (APT) capabilities", but the researchers stop short of explicitly saying it's a state-sponsored operation. However, they do reveal they believe the operation to be run from a Lebanese government building in Beirut, more specifically the headquarters of the General Directorate of General Security.

It's this revelation, along with the the fact many of the operation's different spying campaigns were deemed "seemingly unrelated" by researchers, that suggests Dark Caracal might be a type of government spyware 'for hire', carrying out spying jobs on behalf of a variety of clients.

"We believe the actors would use Pallas against any target a nation state would otherwise attack, including governments, militaries, utilities, financial institutions, manufacturing companies, and defense contractors," a blog post on Lookout's website explains.

EFF and Lookout began investigating Dark Caracal after EFF released its Operation Manul report, which shed light on another spying operation aimed at "journalists, activists, lawyers, and dissidents" who had spoken out against President Nursultan Nazarbayev's regime in Kazakhstan. The researchers spotted that Dark Caracal uses the same "infrastructure" and software as Manul, despite not sharing any of the same targets, bolstering the case that the operation might now have extended to a kind of cybercrime service.