Names | Stealth Falcon (Citizen Lab) FruityArmor (Kaspersky) Project Raven (Reuters) | |
Country | UAE | |
Motivation | Information theft and espionage | |
First seen | 2012 | |
Description | (Citizen Lab) This report describes a campaign of targeted spyware attacks carried out by a sophisticated operator, which we call Stealth Falcon. The attacks have been conducted from 2012 until the present, against Emirati journalists, activists, and dissidents. We discovered this campaign when an individual purporting to be from an apparently fictitious organization called “The Right to Fight” contacted Rori Donaghy. Donaghy, a UK-based journalist and founder of the Emirates Center for Human Rights, received a spyware-laden email in November 2015, purporting to offer him a position on a human rights panel. Donaghy has written critically of the United Arab Emirates (UAE) government in the past, and had recently published a series of articles based on leaked emails involving members of the UAE government. Circumstantial evidence suggests a link between Stealth Falcon and the UAE government. We traced digital artifacts used in this campaign to links sent from an activist’s Twitter account in December 2012, a period when it appears to have been under government control. We also identified other bait content employed by this threat actor. We found 31 public tweets sent by Stealth Falcon, 30 of which were directly targeted at one of 27 victims. Of the 27 targets, 24 were obviously linked to the UAE, based on their profile information (e.g., photos, “UAE” in account name, location), and at least six targets appeared to be operated by people who were arrested, sought for arrest, or convicted in absentia by the UAE government, in relation to their Twitter activity. | |
Observed | Sectors: Civil society groups and Emirati journalists, activists and dissidents. Countries: Netherlands, Saudi Arabia, Thailand, UAE, UK. | |
Tools used | Deadglyph, StealthFalcon and 0-day exploits. | |
Operations performed | 2014 | Ex-NSA operatives reveal how they helped spy on targets for the Arab monarchy — dissidents, rival leaders and journalists. <https://www.reuters.com/investigates/special-report/usa-spying-raven/> |
Oct 2016 | Windows zero-day exploit used in targeted attacks by FruityArmor APT <https://securelist.com/windows-zero-day-exploit-used-in-targeted-attacks-by-fruityarmor-apt/76396/> | |
Oct 2018 | Zero-day exploit (CVE-2018-8453) used in targeted attacks <https://securelist.com/cve-2018-8453-used-in-targeted-attacks/88151/> | |
Oct 2018 | Zero-day in Windows Kernel Transaction Manager (CVE-2018-8611) <https://securelist.com/zero-day-in-windows-kernel-transaction-manager-cve-2018-8611/89253/> | |
Sep 2019 | ESET researchers discovered a backdoor linked to malware used by the Stealth Falcon group, an operator of targeted spyware attacks against journalists, activists and dissidents in the Middle East. <https://www.welivesecurity.com/2019/09/09/backdoor-stealth-falcon-group/> | |
2023 | Stealth Falcon preying over Middle Eastern skies with Deadglyph <https://www.welivesecurity.com/en/eset-research/stealth-falcon-preying-middle-eastern-skies-deadglyph/> | |
Information | <https://citizenlab.ca/2016/05/stealth-falcon/> | |
MITRE ATT&CK | <https://attack.mitre.org/groups/G0038/> |
Last change to this card: 12 October 2023
Download this actor card in PDF or JSON format
Previous: Sprite Spider, Gold Dupont
Next: Stone Panda, APT 10, menuPass
Digital Service Security Center Follow us on |
Report incidents |
|
+66 (0)2-123-1227 | ||
[email protected] |