Cooper Quintin has been tracking the activities of a cyber mercenary group called Dark Caracal for years. On July 28, 2022, he said he discovered traces of a new ongoing hacking campaign by the group in the Dominican Republic and Venezuela. While he was analyzing the domains that the hackers were using as command and control servers, he made a surprising discovery.
“For more than four months, they hadn’t realized that they had forgotten to register one of the key domains listed in their malware,” Quintin, who is a senior security researcher at the digital rights group Electronic Frontier Foundation, told TechCrunch.
Quintin quickly realized that if he could register the domain and take control of it — a mechanism called sinkholing in cybersecurity lingo — he could get a real-time view into the hackers’ actions, and, more importantly, their targets.
He said he made the discovery late in the day, but he immediately started “badgering” the EFF’s lawyers to get permission to register the domain and sinkhole it. The next day, Quintin got the green light and effectively infiltrated Dark Caracal’s hacking operation.
As of this writing, he’s still stealthily monitoring the hackers’ activities. And as far as Quintin can tell, the hackers have yet to realize that.
“I thought I would maybe get a couple of days of information to maybe like a week or two at most. I never thought that I would get several months of information,” he said.
Thanks to the sinkhole, Quintin found that the hackers have targeted more than 700 computers since March of last year, mostly in the Dominican Republic and Venezuela.
The domain that Quintin took over was not the main command and control server — it was one of three — but it still had an important objective: downloading additional functionality for the malware, called Bandook. That, however, meant Quintin didn’t get granular information about the targets and their identities, other than IP addresses.
Also, when they decided to take control of Dark Caracal’s domain, Quintin and his colleagues decided they didn’t want to collect too much personal information.
“We wanted to make sure that we’re not further violating the privacy of people who have been infected,” he said.
With that goal in mind, they took the peculiar decision to put a privacy policy on the sinkhole’s website, which says the EFF “will make our best efforts to anonymize any data collected by SINKHOLE before publishing or sharing or within a certain time frame,” among other practices meant to protect the victims of the hacking campaign.
The EFF has been tracking Dark Caracal since 2015. In 2020, Quintin and EFF’s director of cybersecurity Eva Galperin published a report about a hacking campaign focused on Lebanese targets. The EFF researchers concluded at the time that the hacking campaign was at the behest of the Lebanese government, and they linked it to a 2016 campaign in Kazakhstan.
The fact that over the years the group has been targeting different victims in different countries made the EFF researchers conclude that Dark Caracal is not a traditional government hacking group, but rather a group that governments and perhaps other organizations hire to hack whoever they are interested in.
“We think that they are a cyber mercenary group, they seem to have done work for multiple nation states, including Lebanon and Kazakhstan. And now it seems like they’re doing some work in Latin America,” Quintin said. (Quintin and his colleagues could not determine who Dark Caracal is working for here.)
The EFF researchers believe that Dark Caracal is the same group behind a campaign reported by the cybersecurity firm ESET in 2021, which targeted computers mainly in Venezuela. Matias Porolli, a researcher at ESET who worked on that report, told TechCrunch that he looked into the current campaign when Quintin asked him for help. Porolli said that he concluded that this recent campaign is being run by the same group ESET tracked in 2021.
Porolli, however, said they don’t have enough data to conclude that the 2021 campaign was indeed conducted by Dark Caracal. One of the breadcrumbs that points to Dark Caracal is the use of a spyware — or remote access trojan, commonly referred to as a RAT — called Bandook.
“It is the same malware, Bandook, but it could be used by different groups,” Porolli said.
Cooper, however, said he believes that the use of the same malware is a strong enough link, given that Bandook is not open source, nor appears to be openly available. Plus, the hackers have been slowly improving on Bandook over the years, adding different functions to the spyware, suggesting they are the same group improving their own tools.
And their tools and techniques are slowly getting better.
“We’re not exactly dealing with the best in the world here. But regardless, they still get the job done. They clearly are able to pull off big campaigns, and infect lots of computers,” Quintin said. “I think it’s important to pay attention to these lower end doctors, because they are putting in a lot of work. And I think they’re putting in just as much work as the more well-known guys like NSO Group are, and I think that they are just as dangerous in a different way.”
The ball is now in Dark Caracal’s court. Will they figure out they have been infiltrated now that Quintin’s actions are public?
“If I were them, I would be reading the EFF blog looking for my name,” Quintin said laughing.
Do you have more information about Dark Caracal? Or do you have information about other mercenary hacking groups? We’d love to hear from you. You can contact Lorenzo Franceschi-Bicchierai securely on Signal at +1 917 257 1382, or via Wickr, Telegram and Wire @lorenzofb, or email lorenzo@techcrunch.com. You can also contact TechCrunch via SecureDrop.