GDGS is Lebanon’s main internal intelligence agency, and its director, Maj. Gen. Abbas Ibrahim, a career army general, has a rising profile and a broadening portfolio. The agency oversees residency permits for foreigners, from diplomats and tens of thousands of Southeast Asian domestic workers to more than a million Syrian refugees. The agency’s expertise and clout has traditionally been seen as stemming from its human intelligence, not from high-tech espionage techniques.
Speaking ahead of the report’s publication, General Ibrahim told Reuters: “General Security does not have these type of capabilities. We wish we had these capabilities.” GDGS did not return a call for comment on Thursday.
Researchers at the Electronic Frontier Foundation and Lookout began collaborating to uncover what they believed was a likely nation state spy campaign in 2016. That year, the Electronic Frontier Foundation released a report documenting a spy campaign against journalists and activists who had been critical of the authorities in Kazakhstan. The campaign included technology used to spy on Android users. Lookout, which focuses on mobile device security, offered to help.
Together, researchers tracked the spying to command and control servers operated by the attackers. The researchers looked at who had registered the servers and when, as well as the dates of some of the stolen content. They deduced that the campaign had been going on for as long as six years.
The attackers were targeting journalists and activists, as well as government officials, military personnel, financial institutions, defense contractors and others in 21 countries. Those countries included the United States, China, Germany, India, Russia, Saudi Arabia, South Korea and inside Lebanon.
The researchers traced the attacks to a building in Beirut that houses Lebanon’s GDGS, using Wi-Fi networks and so-called internet protocol addresses assigned to attackers’ machines. While researchers said they could not be sure whether the attacks were the work of the GDGS or rogue employees, many of the attacks appeared tied to an email address — email@example.com — that had been linked to various online personas, including “Nancy Razzouk” and “Rami Jabbour.” All of the physical addresses listed with registrations made by that email account were clustered around the GDGS building in Beirut, according to the user’s wireless activity.
Emails sent to that email address were not returned.
As part of their work, researchers found evidence that Lebanese spies were directing victims to install the spy apps through WhatsApp messages that began innocuously with a “How are you?” Those then linked to the spy apps with additional messages like “You can download from here to communicate further.”
In other cases, the spies found their targets on Facebook, inviting them to Facebook groups, where they posted links to their decoy apps, which they often referred to by names like “WhatsApp plus.” The spies also directed victims to fake login sites for social media services like Twitter and Facebook to steal their credentials, hijack their accounts and push out trick messages to more people.
Researchers also found evidence that Lebanese officials had previously used FinFisher, a product manufactured by the British company Gamma International, which sells surveillance tools that let customers turn computers and phones into listening devices to monitor a target’s messages, calls and whereabouts. Increasingly, researchers discovered that the spies had built their own custom mobile spy tools that were less sophisticated than FinFisher but as effective in getting the intelligence they were after.
Martin J. Muench, the managing director of Gamma International, has told The New York Times that his company only sells surveillance tools to governments for criminal and terrorism investigations. The Times has covered several instances in which Mr. Muench’s tools have popped up on devices used by journalists and activists. Gamma Group did not respond to a request for comment on Thursday.
Researchers also uncovered evidence that Lebanese officials deployed several variants of malware to victims’ desktop machines; the malware was designed to work across several operating systems, including Microsoft Windows, Apple’s Mac and Linux. That malware could steal screenshots of victims’ computer screens, use the victim’s webcam to spy on their physical whereabouts, record sound, grab photos and any Skype activity, file listings and files, and even iPhone backups.
In the hours after researchers published their report on Thursday, the servers conducting the spying went dark.