Hezbollah-linked Lebanese Cedar breached 250 companies worldwide

Clearsky security experts have confirmed that Lebanese Cedar APT, a cyber unit of Hezbollah, has breached 250 telecom companies worldwide, including ones based in Israel, Egypt, Jordan, Saudi Arabia, the UAE, and the United States.

As per the reports, around 250 web servers were identified to be hacked by the Lebanese Cedar gang. The malicious attackers were focused on gathering intelligence and stealing the databases of the companies that contained sensitive information.

This group, also known as “Volatile Cedar”, has been active since 2012 and is motivated by political and ideological interests. However, they have been keeping a low profile since 2015, after Kaspersky and Check Point researchers exposed the threat actors for espionage activities.

The cyber espionage campaign restarted in early 2020 and affected internet service providers in the US, the UK, Egypt, Israel, Lebanon, Jordan, the Palestinian Authority, Saudi Arabia, and the UAE.

The Hezbollah-linked group then used these web shells for attacks on a company’s internal network, from where they infiltrated private documents.

For their attacks on internet-facing servers, Clearsky said the hackers used vulnerabilities, such as:CVE-2019–3396 in Atlassian Confluence,CVE-2019–11581 in Atlassian Jira,CVE-2012–3152 in Oracle Fusion.

Boaz Dolev, CEO of ClearSky, said “This group successfully worked under the radar for a long time, while getting control on critical databases and stealing valuable information. Telecommunication providers worldwide are a prime target for attackers in search for sensitive data.”

Furthermore, researchers also said that attackers made mistakes in their operation and often reused files between intrusions. This allowed Clearsky to track the attacks across the globe and link them to the group.

“The operation enabled us to fingerprint the targets of [the] Lebanese Cedar APT and categorize them based on sector and country of origin,” Clearsky said. “We identified 254 infected servers worldwide, 135 of them shared the same hash as the files we identified in [a] victim’ network during our [incident response] investigation.”

Hacking by exploiting telecom sectors is much more common in Middle East. There are several incidents in the past when Middle Eastern nations took help from many foreign firms to fufill their objectives.

Few months ago, reports were released on how two hacking groups, led by UAE and Saudi Arabia, attacked dozens of journalists based out of London and Qatar. It was stated that the Saudis and the Emiratis took help from Israeli firm, NSO group, to launch the attack that ended up with the killing of Saudi dissident, Jamal Khashoggi.

Similarly, Qatar has also been reportedly involved in taking help from foreign firms, like ones based in Turkey and Global Risk Advisor (GRA), a US consulting firm.

Iran, which is already under the radar for launching offensive cyber attacks, also launched an assault, using its hacking group, “Chafer”, that targeted UAE, Jordon, and Saudi’s telecom and airline companies.