Someone in Lebanon has been operating a cyber spy operation against targets in Israel, the United States, Canada, Russia and Britain since 2012, says a new report issued by Israeli information security firm Check Point. As part of the operation, dubbed Volatile Cedar, the hackers used sophisticated malware known as “Explosive” to extract information from various organizations, some with links to the Israel Defense Forces.
- Cyber-defenders Warn: Israel Is Vulnerable
- Israeli Cybertech Wins Big Fans
- Israeli Startup 'Anticipates' Hackers
- LogDog: Hacker Alerts in Real Time
- 'Satellite Images Show Hezbollah Airstrip'
Check Point believes there is a major player behind the hack, such as a state or political group – which could hint at possible Hezbollah involvement.
A source close to the investigation says this is the prevailing belief, though the company declined to officially confirm that.
“We’re not experts on international relations and don’t pretend to analyze the geopolitical situation in Lebanon,” said Shahar Tal, head of the security and vulnerability research group at Check Point. “We’re experts on information security and malware, and when we see such a threat, we work to provide protection for our clients – no matter if the attacker is a state player from Lebanon or a Saudi, Brazilian or Malaysian hacker,” he said.
One thing pointing to possible Hezbollah involvement is the fact that the attackers made use of a hacking tool of Iranian origin (web shells, which are used to control a server following a successful hack). Also, the malware’s first command and control servers were stored by a Lebanese storage company. The report also showed that some of the servers were registered as belonging to someone with a “very similar” Lebanese address.
Among the targets attacked in Israel were other storage and communications companies, and companies that supply software to the Israel Defense Forces. In other words, it wasn’t a frontal attack on the IDF network, but on entities that could enable the circumvention of the built-in protection systems in the defense establishment.
“It’s not hard to see the significance of breaching a communications or cellular company, in the post-Snowden world,” Tal told Haaretz, referring to the former NSA employee who leaked classified information from the agency. “And the same goes for the infiltration of systems that are connected to the IDF.”
Volatile Cedar was based largely on Explosive, a “Trojan horse” that was planted in its targets and used to collect information. Monitoring these cyber infections was very challenging, due to the numerous ways in which they were disguised by the hackers. The hackers selected a small group of targets so as to avoid unnecessary exposure, says the Check Point report.
The company says that attackers generally begin by mapping the weaknesses in the target organization’s web servers, both automatically and manually. “As soon as a breach that can be exploited is identified, it’s used to insert a web shell into the server,” explained Tal. “Then, the web shell is used by the hacker to control the victim’s server and is the means by which Explosive is introduced into the server. This Trojan horse lets the hackers send commands to all the targets via a system of command and control servers. The list of commands includes everything the hacker needs to maintain control and extract information, and so on.”
The introduction of the malware into the servers also made it possible for USB connections to be affected, too – and, therefore, any storage device attached to the affected computer. Yaniv Balmas, the main investigator of the malware at Check Point, explained that Explosive is not even the top technology in this field.
“It’s not the most advanced and it’s not that technologically sophisticated, but it was advanced enough to succeed at its task for three years,” said Balmas. In the report, Balmas and the other investigators said Explosive managed to evade detection by most existing antivirus programs.
During these past three years, Explosive underwent several changes, and at least four new versions were added to the original Trojan horse. Also, after Check Point publicized these findings, the company noticed that the command and control servers sent a destruction order to every malware that was able to communicate with the server.