The cybermercenaries, which the vendor dubbed the Desert Falcons, has stolen more than 1 million files from 3,000 victims in more than 50 countries, Kaspersky Lab said Tuesday. The group, likely native Arabic speakers, began in 2011, with the first infections coming in 2013, the company said.
Targeted countries include Algeria, Lebanon, Turkey and the United Arab Emirates in the Middle East, and the U.S., Russia, France and Sweden beyond the region, Kaspersky said.
The group's motivation seems to be political, with targets including industry, politicians and prominent activists, said Dmitry Bestuzhev, a security expert at Kaspersky's Lobal Research and Analysis Team.
Whoever is behind the group is not interested in money but in secret classified information that can offer advantages in negotiations or political maneuvering, he said by email.
The attackers appears to be using the stolen information "exclusively for their own needs," he added. The information has not been offered for sale or exposed publicly.
The group uses phishing attacks through email, social-networking sites and chat messages to gain access to an organization, then plants two backdoors in computer systems, Kaspersky said. The backdoor malware, which appears to be developed from scratch, gives the attackers the ability to take screen shots, log keystrokes, upload and download files and collect Word and Excel files on a victim's hard drive or connected USB device, the company said.
The Desert Falcons have targeted Windows and Android systems, the vendor said.
The group has used several techniques to entice victims to run malicious files, including the so-called right-to-left extension override trick, a way in Unicode to reverse the order of characters in a file name, the cybersecurity vendors said.
This is the third major cyberthreat announcement Kaspersky Lab has made this week. On Sunday, the company reported that a still-active cybercriminal gang has stolen up to US $1 billion from banks in at least 25 countries over the last two years.
And on Monday, Kaspersky reported that a cyberespionage group using tools similar to ones used by U.S. intelligence agencies has infiltrated key institutions in countries such as Iran and Russia.
The Desert Falcons group is made up of at least 30 people, operating in three teams and spread across several countries, according to Kaspersky estimates.
The group's members are "highly determined, active and with good technical, political and cultural insight," Bestuzhev said.
Grant Gross covers technology and telecom policy in the U.S. government for The IDG News Service. Follow Grant on Twitter at GrantGross. Grant's email address is grant_gross@idg.com.