A Hezbollah-affiliated threat actor known as Lebanese Cedar has been linked to intrusions at telco operators and internet service providers in the US, the UK, Israel, Egypt, Saudi Arabia, Lebanon, Jordan, the Palestinian Authority, and the UAE.
The year-long hacking campaign started in early 2020 and was discovered by Israeli cyber-security firm Clearsky.
In a report published today, the security firm said it identified at least 250 web servers that have been hacked by the Lebanese Cedar group.
“It seems that the attacks aimed to gather intelligence and steal the company’s databases, containing sensitive data,” ClearSky said today.
“In case of telecommunication companies, one can assume that databases containing call records and private data of clients were accessed as well,” the company added.
Attacks targeted outdated Atlassian and Oracle servers
Clearsky researchers said the attacks followed a simple pattern. Lebanese Cedar operators used open-source hacking tools to scan the internet for unpatched Atlassian and Oracle servers, after which they deployed exploits to gain access to the server and install a web shell for future access.
The Hezbollah-linked group then used these web shells for attacks on a company’s internal network, from where they exfiltrated private documents.
For their attacks on internet-facing servers, Clearsky said the hackers used vulnerabilities such as:
- CVE-2019-3396 in Atlassian Confluence
- CVE-2019-11581 in Atlassian Jira
- CVE-2012-3152 in Oracle Fusion
Once they gained access to these systems, the attackers deployed web shells, such as ASPXSpy, Caterpillar 2, Mamad Warning, and an open-source tool named JSP file browser (which can also function as a web shell).
On internal networks, the attackers deployed a more powerful tool named the Explosive remote access trojan (RAT), a tool specialized in data exfiltration and which they also used in the past.
Clearsky said they were able to link the attacks to Hezbollah’s cyber unit because Explosive RAT was a tool that was until now exclusively used by the Lebanese Cedar group.
Some victim names made public
Furthermore, researchers also said that attackers made mistakes in their operation and often reused files between intrusions. This allowed Clearsky to track the attacks across the globe and link them to the group.
“The operation enabled us to fingerprint the targets of [the] Lebanese Cedar APT and categorize them based on sector and country of origin,” Clearsky said. “We identified 254 infected servers worldwide, 135 of them shared the same hash as the files we identified in [a] victim’ network during our [incident response] investigation.”
Based on these scans, below is a list of some of the group’s better-known victims, including the likes of Vodafone Egypt, Etisalat UAE, SaudiNet in Saudi Arabia, and Frontier Communications in the US.
For indicators of compromise and more technical details about the attacks, the ClearSky Lebanese Cedar report’s PDF contains additional data.