A hacker group considered a proxy for the Lebanese terror group Hezbollah has managed to penetrate internet and mobile phone networks, an Israeli cybersecurity firm said Thursday, revealing what it called a “global espionage” campaign.
According to Tel Aviv-based ClearSky Cyber Security, the group known as Lebanese Cedar used software and techniques linked in the past to Iranian state hackers to breach over 250 servers of targets in the United States, Britain, Egypt, Jordan, Lebanon, Israel and Palestinian controlled areas of the West Bank.
“We assess that there are many more companies that have been hacked and that valuable information was stolen from these companies over periods of months and years,” the company said in a report.
Lebanese Cedar has been active for a number of years and is what is known in the industry as an advanced persistent threat, or APT – state-sponsored hackers. The U.S.-Israeli company Check Point Software Technologies, which first uncovered the group in 2012, found that Lebanese Cedar was motivated by political and ideological goals, and even suggested in 2015 that it was linked to Iran, though Check Point fell short of naming Hezbollah.
“Since 2015 Lebanese Cedar APT – also referred to as ‘Volatile Cedar’ – maintained a low profile and operated under the radar,” the report said.
As is usually the case with cyberattacks, attribution is done by linking the tactics, techniques, procedures and targets of a certain attack to previous ones.
“Known for its highly evasive, selectively targeted, and carefully managed operations, Lebanese Cedar follows courses of action associated with Advanced Persistent Threat groups (APTs) funded by nation-states or political groups,” ClearSky said.
- Iranian cyberattack claims new victim – and Israeli hackers vow revenge
- From FireEye to Israel: Cyber emergency response chief warns ‘everyone's a target'
- ‘The Iranians are waiting for the Israeli response’: Who is behind the latest cyberattack on Israeli firms?
In this case attribution was achieved via a piece of software that was previously known to be deployed only by the Hezbollah-linked hackers. In another aspect of the incursion, the technology was developed by state hackers from Iran as well.
Together, the report said, the findings “endorse Check Point’s strong case attributing Lebanese Cedar APT to the Lebanese government or a political group in Lebanon. Moreover, there are several indications that link Lebanese Cedar APT to the Hezbollah Cyber Unit.”
ClearSky added that it was “important to highlight this connection, as it may point to a connection between the APT, which is associated with Hezbollah, and the Iranian regime.”
Yaniv Balmas, head of cyber research at Check Point, reviewed the report for Haaretz and said that “ClearSky’s findings do correlate well with the techniques this group used, and it looks like it’s truly the same group. It should be noted that the group went under the radar after the initial exposure, and maybe ceased its operations, so these findings indicate that they are [still] operational.”
But he noted that “the attribution we made was to Lebanon based on several indicators that located the group in the country. However, it wasn’t specific to whom in Lebanon, though the combination of the targets outside Lebanon and inside Lebanon could match the motives of Hezbollah at the time of exposure.”
ClearSky suggests that servers in the United States and Britain were probably used to launch the attack, while servers in the Middle East and wider Arab world were more likely the target. The assault began late in 2019 and continued silently throughout 2020, the report said.
Among those breached were Vodafone Egypt and Egyptian internet provider TE Data, Hadara – the Palestinian Authority’s main internet provider – as well as a number of similar targets in the United Arab Emirates and Saudi Arabia. Among the American systems infected were the Oklahoma Office of Management & Enterprise Service and Connecticut-based company Frontier Communications, ClearSky said.
In January, an unknown hacker group calling itself SpiderZ hacked into Hezbollah and a bank it uses. The incursion exposed information on around 100,000 account holders from several countries with money deposited at Lebanon’s Al-Qard Al-Hassan benevolent loan association, an institution affiliated with Hezbollah.
Ideologically motivated hacktivism is common in the Middle East. Israel was hit by a string of ideologically motivated cyberattacks in recent months, and Palestinian hackers linked to Hamas have been accused of leading a complex cyberespionage campaign targeting Arab officials and political leaders across the Middle East.