Security Experts:

"Stealth Falcon" Threat Group Targets UAE Dissidents

An advanced persistent threat (APT) group believed to be linked to the government of the United Arab Emirates (UAE) has been observed targeting journalists, activists and dissidents.

A report published by the Citizen Lab research group shows that the threat actor, dubbed Stealth Falcon, has been around since at least 2012. In the operations analyzed by researchers, the attackers leveraged Twitter, spear phishing emails, a malicious URL shortening service, and spyware.

The UAE is known for its poor human rights record and there is evidence that the government launched malware attacks in the past against dissidents using products provided by the Italian spyware maker Hacking Team.

One of the Stealth Falcon attacks investigated by Citizen Lab was aimed at Rori Donaghy, a British journalist and founder of the Emirates Center for Human Rights. Donaghy was contacted in November 2015 via email by an entity called “The Right to Fight” with a proposal to participate in a human rights panel.

The journalist became suspicious and forwarded the email to Citizen Lab, but the researchers advised him to communicate with the attacker to see where it would lead. The first email sent to Donaghy contained a shortened link pointing to the website of Al Jazeera, while a second email contained a macro-enabled document designed to deliver a custom-built backdoor that gave attackers complete control over the infected computer.

The emails sent by Stealth Falcon informed the journalist that they added “macro enabled security” to protect the content of the attachment. An analysis of the spyware used to target Donaghy revealed a network of 67 active command and control (C&C) servers, which suggests that the spyware has been used in multiple attacks.

A detailed analysis of the URL shortening website, named aax.me, revealed that while the site appeared to be a public service, its operators could create links that allowed them to profile users’ systems, most likely in an effort to determine if they are plagued by exploitable vulnerabilities. Aax.me not only checked for the presence of antivirus products, but it also attempted to deanonymize Tor users via an outdated technique.

Researchers also identified aax.me links being sent out in an Instagram attack, and the service was also leveraged to lure users to a fake file sharing website and various fake forums.

Further analysis of Donaghy’s email account revealed that the journalist had been previously contacted in 2013 by an individual who claimed to be a UK journalist named Andrew Dwight. Researchers discovered that a Twitter account associated with this persona had also reached out to three UAE dissidents. They also determined that Stealth Falcon had used the social media platform to contact two dozen Twitter profiles, including ones belonging to individuals who were arrested or convicted by the UAE government for their online activities.

Another clue that allowed researchers to link Stealth Falcon’s activities to the UAE government is a Twitter account that shared a link associated with the threat actor while it was under the government’s control.

While the evidence linking Stealth Falcon to the UAE government is circumstantial, Citizen Lab pointed out that there is nothing to suggest that the group’s attacks have criminal or financial motivation. Furthermore, the attacker’s targets, resources and tactics are consistent with the ones of a state-sponsored actor.

“Stealth Falcon’s technical approach may not be cutting edge, but the operators are neither unsophisticated or ineffective. Analyzed holistically as an operation, Stealth Falcon is a logical and multi-pronged approach to compromising and unmasking a class of targets,” Citizen Lab said in its report. “Stealth Falcon’s campaign highlights the power of social engineering, once a technical bar has been met, in conducting a large scale campaign.”

Related Reading: Arabic Threat Group Attacking Thousands of Victims Globally

Related Reading: Arabic Threat Group Targets IT, Incident Response Teams

view counter
Eduard Kovacs is an international correspondent for SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.