Israel targeted by Hezbollah hacker group, remained unnoticed for 5 years

ClearSky added that the Lebanese Cedar hacker group seems to have successfully remained unnoticed by the security community for the past five years.

ISRAEL WILL need to use cyber capabilities ‘in severe and extreme scenarios, to inflict systemic disruption on an enemy’s economic infrastructure and society at large.’  (photo credit: MARC ISRAEL SELLEM/THE JERUSALEM POST)
ISRAEL WILL need to use cyber capabilities ‘in severe and extreme scenarios, to inflict systemic disruption on an enemy’s economic infrastructure and society at large.’
(photo credit: MARC ISRAEL SELLEM/THE JERUSALEM POST)
Over the past decade, companies in the US, UK, Egypt, Jordan, Lebanon, Israel and the Palestinian Authority have been targeted by a hacker group called “Lebanese Cedar”, also known as “Volatile Cedar,” which seems to be linked to Hezbollah, ClearSky Cyber Security announced on Thursday.

The group has been operating since 2012, but has maintained a low profile since 2015. The Lebanese Cedar hacker group seems to have successfully remained unnoticed by the security community for the past five years, according to the report.
ClearSky expressed support for the assessment by the Check Point software technologies company that Lebanese Cedar is linked to the Lebanese government or a Lebanese political group, adding that there are indications that the hacker group is linked to the Hezbollah Cyber Unit.

The group is known for its “highly evasive, selectively targeted, and carefully managed operations,” according to ClearSky, which matches up with Advanced Persistent Threat groups that are funded by nation-states or political groups.
The attacks were revealed after suspicious network activities and hacking tools were found in a range of companies in early 2020.

A new version of the “Explosive” V4 RAT (Remote Access Tool) or “Caterpillar” V2 WebShell was found in the affected networks. ClearSky identified the open-source JSP file browser that was modified for the hackers purposes. Lebanese Cedar is the only known threat actor that uses this code, according to the report.

The files were installed on the victims’ Oracle servers, exposing them and enabling hackers to install new files on the server. Some 254 infected servers were found worldwide. Most of the victims were from telecommunications and IT, hosting, communications and hosting and applications companies.

Targeted companies include Vodafone Egypt, Secured Servers LLC in the US, Hadara in the PA, Jordanian Universities Network L.L.C. in Jordan, Mobily in Saudi Arabia and Etisalat in the UAE, among others. Many other companies have likely been hacked and had information stolen by Lebanese Cedar over periods of months and years.

In 2015, Check Point announced that they had discovered an attack campaign by Lebanese Cedar targeting defense contractor firms, telecommunications and media companies, and educational institutions in about 10 countries, including the US, Canada, UK, Turkey, Lebanon and Israel.

ClearSky analysts have made a few assumptions on how Lebanese Cedar succeeded in remaining unnoticed for the past five years. One possible explanation is that because the hacker group used a common web-based shell-like interface to enable remote access while rarely using other tools, it led researchers to a dead-end in terms of attributing the hacks to a specific group.

Another possible explanation is that Lebanese Cedar shifted focus significantly. While it originally attacked computers as an initial point of access, it then progressed to the victim’s network and eventually to vulnerable, public facing web servers. The most commonly attacked server was a vulnerable version of an Oracle web server, according to ClearSky.

The group also likely had long periods of inactivity, which enabled it to avoid attention.

Stay updated with the latest news!

Subscribe to The Jerusalem Post Newsletter



Most of the tools used by the group in its most recent campaign were developed by the group itself, but some open source tools, including ones developed by Iranian hacktivist groups, were used by Lebanese Cedar as well.

ClearSky found that the group used a highly selective targeting process which indicates extensive reconnaissance.
According to the report, the campaign likely began in late 2012, with attacks on carefully chosen individuals, companies and state institutions around the world.

“As Israelis we are very complacent towards state attack groups. We have a feeling that if we are considered a cyber power in development and start-ups, including glorious military activity, then we know everything and cannot be touched,” said cybersecurity consultant Einat Meyron in response to the report.
“We have also become accustomed to thinking that only Iran, Russia, China and North Korea lead the field. Here is proof of the fundamental mistake. There are good and sophisticated hackers all over the world, even in countries that are fundamentally weaker than us in terms of resources and budgets but are no less dangerous.”