Lebanese Cedar, a Hezbollah-affiliated group, is accused of hacking atlas 250 telco operators and internet service providers in several countries, notably the US, Lebanon, the UK, Saudi Arabia, Israel, Egypt, Jordan, the UAE, and the Palestinian Authority,.
According to ClearSky Security, shady network activities and hacking tools were found, in early 2020, in a spectrum of companies.
“Comprehensive forensic research of the infected systems revealed a strong connection to a threat actor we call ‘Lebanese Cedar’, which has been operating since 2012,” the Cyber Security agency stated in their report published on Thursday.
According to the report, the Hezbollah-affiliated group’s aim is to gather intelligence and steal databases.
“The attacks followed a simple pattern. Lebanese Cedar operators used open-source hacking tools to scan the internet for unmatched Atlassian and Oracle servers, after which they deployed exploits to gain access to the server and install a web shell for future access,” ClearSky explained.
Adding that “the Hezbollah-linked group then used these web shells for attacks on a company’s internal network, from where they exfiltrated private documents.”
ClearSky revealed that, once the group got access, they installed web shells (ASPXSpy, Caterpillar 2, Mamad Warning), as well as an open-source tool named JSP file browser.
On internal networks, the attackers deployed a tool named the Explosive remote access trojan (RAT), specialised in data exfiltration, according to ClearSky.
ClearSky noted that they were able to link the hacks made by Hezbollah’s cyber unit because the Explosive RAT’s tool was until now exclusively used by the Lebanese Cedar group.
Mistakes made by the Hezbollah-affiliated group, such as reusing files during intrusions, also made it easier for ClearSky researchers to track the attacks across the globe and link them to the group.
ClearSky published a list of some of the victims of the hack, including SaudiNet in Saudi Arabia, Vodafone Egypt, Frontier Communications in the US, and Etisalat UAE.
Comprehensive details could be read in the cyber security’s report.