Lebanese Cedar APT group Attack ISP Companies Worldwide

Recently, the Clearsky researchers have joined the Lebanese Cedar group in a cyber espionage campaign that has targeted several companies worldwide. According to the reports, a Hezbollah-affiliated threat actor known as Lebanese Cedar has been linked to different interventions.

The cybersecurity researchers have claimed that the attacks were mainly proposed to accumulate intelligence and steal company databases, including all sensitive data. And in the case of telecommunication companies, we can also consider that the hackers also accessed all the databases containing call records and private information of clients.


Countries Targeted

The Lebanese Cedar group has attacked several countries all over the world, and here we have mentioned the targeted countries below:-

  • US
  • Israel
  • Saudi Arabia
  • The U.A.E.
  • The U.K.
  • Egypt
  • Lebanon
  • Jordan

Hackers targeted outdated Atlassian and Oracle servers

The hacking group has followed a clear pattern, and the Lebanese Cedar operators have applied open-source hacking tools so that they can scan the internet for unpatched Atlassian and Oracle servers.

Once they are done with scanning, they used the exploits to access the server and easily install a web shell for future access. Not only this but the threat actors group has also used vulnerability for their attacks on internet-facing servers like:-

  • CVE-2019-3396 in Atlassian Confluence 
  • CVE-2019-11581 in Atlassian Jira
  • CVE-2012-3152 in Oracle Fusion

Companies targeted

  • Secured servers L.L.C.
  • Frontier communication
  • Oklahoma office of management and enterprise service
  • T.E. data
  • Vodafone Egypt
  • Iomart cloud services limited.
  • SaudiNite
  • Mobily
  • Middle East Internet Company Limited
  • Arabian Internet Communication services co.Ltd
  • Vtel Holding Limited/ Jordan Co.
  • National Information Technology Center
  • Jordanian universities Network L.L.C.
  • Etisalat
  • Hadara

The hacking group was initially exposed in 2015, and from that time, this group went under the radar and secreted many parts of its activity. The Lebanese cyber threat attackers’ activities are supposed to be made by political and ideological motives, and they point at individuals, companies, and organizations worldwide. 

In the internal networks, the threat actors have deployed a more powerful tool named the Explosive remote access trojan (R.A.T.), a tool that is specialized in data exfiltration, and the hackers can use this tool later in the past.

Clearsky affirmed that they were able to link the charges to Hezbollah’s cyber unit because Explosive R.A.T. was a tool that was till now exclusively used by the Lebanese Cedar group.

The cybersecurity experts have recognized 254 infected servers worldwide, and 135 of them have shared the same hash as the files that they have recognized in the victim’s network throughout their investigation.

Moreover, the experts have also pronounced that all the additional details about the campaigns are involved in the analysis that has been issued by ClearSky, which also includes Indicators of Compromise.

You can follow us on LinkedinTwitterFacebook for daily Cybersecurity and hacking news updates.

BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.