The hackers used malicious apps that resembled legitimate communication platforms like Signal and WhatsApp to steal the trove of data, loading up the fake versions with malware that allowed them to tap into users' conversations. "One of the interesting things about this ongoing attack is that it doesn't require a sophisticated or expensive exploit," EFF Staff Technologist Cooper Quintin said in a statement. "Instead, all Dark Caracal needed was application permissions that users themselves granted when they downloaded the apps, not realizing that they contained malware." However, the hackers' storage of the stolen info also wasn't terribly sophisticated, as it was all left exposed online on an unprotected server. "It's almost like thieves robbed the bank and forgot to lock the door where they stashed the money," Mike Murray, Lookout's head of intelligence, told the AP.

The EFF and Lookout were able to link the data to a WiFi network coinciding with the location of Lebanon's GDGS. "Based on the available evidence, it is likely that the GDGS is associated with or directly supporting the actors behind Dark Caracal," noted the report. EFF Director of Cybersecurity Eva Galperin said that pinpointing the campaign to such a precise location was remarkable, telling the AP, "We were able to take advantage of extraordinarily poor operational security."