Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Malware & Threats

“Stealth Falcon” Threat Group Targets UAE Dissidents

An advanced persistent threat (APT) group believed to be linked to the government of the United Arab Emirates (UAE) has been observed targeting journalists, activists and dissidents.

An advanced persistent threat (APT) group believed to be linked to the government of the United Arab Emirates (UAE) has been observed targeting journalists, activists and dissidents.

A report published by the Citizen Lab research group shows that the threat actor, dubbed Stealth Falcon, has been around since at least 2012. In the operations analyzed by researchers, the attackers leveraged Twitter, spear phishing emails, a malicious URL shortening service, and spyware.

The UAE is known for its poor human rights record and there is evidence that the government launched malware attacks in the past against dissidents using products provided by the Italian spyware maker Hacking Team.

One of the Stealth Falcon attacks investigated by Citizen Lab was aimed at Rori Donaghy, a British journalist and founder of the Emirates Center for Human Rights. Donaghy was contacted in November 2015 via email by an entity called “The Right to Fight” with a proposal to participate in a human rights panel.

The journalist became suspicious and forwarded the email to Citizen Lab, but the researchers advised him to communicate with the attacker to see where it would lead. The first email sent to Donaghy contained a shortened link pointing to the website of Al Jazeera, while a second email contained a macro-enabled document designed to deliver a custom-built backdoor that gave attackers complete control over the infected computer.

The emails sent by Stealth Falcon informed the journalist that they added “macro enabled security” to protect the content of the attachment. An analysis of the spyware used to target Donaghy revealed a network of 67 active command and control (C&C) servers, which suggests that the spyware has been used in multiple attacks.

A detailed analysis of the URL shortening website, named aax.me, revealed that while the site appeared to be a public service, its operators could create links that allowed them to profile users’ systems, most likely in an effort to determine if they are plagued by exploitable vulnerabilities. Aax.me not only checked for the presence of antivirus products, but it also attempted to deanonymize Tor users via an outdated technique.

Researchers also identified aax.me links being sent out in an Instagram attack, and the service was also leveraged to lure users to a fake file sharing website and various fake forums.

Advertisement. Scroll to continue reading.

Further analysis of Donaghy’s email account revealed that the journalist had been previously contacted in 2013 by an individual who claimed to be a UK journalist named Andrew Dwight. Researchers discovered that a Twitter account associated with this persona had also reached out to three UAE dissidents. They also determined that Stealth Falcon had used the social media platform to contact two dozen Twitter profiles, including ones belonging to individuals who were arrested or convicted by the UAE government for their online activities.

Another clue that allowed researchers to link Stealth Falcon’s activities to the UAE government is a Twitter account that shared a link associated with the threat actor while it was under the government’s control.

While the evidence linking Stealth Falcon to the UAE government is circumstantial, Citizen Lab pointed out that there is nothing to suggest that the group’s attacks have criminal or financial motivation. Furthermore, the attacker’s targets, resources and tactics are consistent with the ones of a state-sponsored actor.

“Stealth Falcon’s technical approach may not be cutting edge, but the operators are neither unsophisticated or ineffective. Analyzed holistically as an operation, Stealth Falcon is a logical and multi-pronged approach to compromising and unmasking a class of targets,” Citizen Lab said in its report. “Stealth Falcon’s campaign highlights the power of social engineering, once a technical bar has been met, in conducting a large scale campaign.”

Related Reading: Arabic Threat Group Attacking Thousands of Victims Globally

Related Reading: Arabic Threat Group Targets IT, Incident Response Teams

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Understand how to go beyond effectively communicating new security strategies and recommendations.

Register

Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.

Register

Expert Insights

Related Content

Cybercrime

The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Malware & Threats

The NSA and FBI warn that a Chinese state-sponsored APT called BlackTech is hacking into network edge devices and using firmware implants to silently...

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...

Malware & Threats

Unpatched and unprotected VMware ESXi servers worldwide have been targeted in a ransomware attack exploiting a vulnerability patched in 2021.

Cyberwarfare

An engineer recruited by intelligence services reportedly used a water pump to deliver Stuxnet, which reportedly cost $1-2 billion to develop.

Malware & Threats

Apple’s cat-and-mouse struggles with zero-day exploits on its flagship iOS platform is showing no signs of slowing down.

Cybercrime

No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.