Cyber Threat Actor: Lebanese Cedar
| Actor Type | Location | Known Incidents |
Spy
|
Lebanon
|
16 incidents |
|---|
Profile
Lebanese Cedar is a Hezbollah‑affiliated threat actor that operates under the alias Lebanese Cedar and is based in Lebanon. The group has been publicly linked to Hezbollah’s cyber unit, with attribution drawn from the exclusive use of the Explosive remote access trojan (RAT) in its intrusions and from the reuse of specific tools and infrastructure across multiple compromises. Its activity has been described as a year‑long cyber‑espionage campaign that began in early 2020 and was uncovered by the Israeli firm Clearsky in January 2021, during which at least 250 web servers were compromised worldwide.
The actor primarily targets telecommunications providers and internet service providers, having struck companies in the United States, the United Kingdom, Israel, Egypt, Saudi Arabia, Lebanon, Jordan, the Palestinian Authority and the United Arab Emirates, including notable victims such as Vodafone Egypt, Etisalat UAE, SaudiNet, Frontier Communications and Iomart Cloud Services Limited. The strategic objective of these intrusions is intelligence gathering, specifically the exfiltration of sensitive customer databases, call records and private company documents, with no indication of financial gain or disruptive intent in the reported material. Initial access is achieved by scanning the internet for unpatched Atlassian and Oracle servers and exploiting known vulnerabilities such as CVE‑2019‑3396 in Atlassian Confluence, CVE‑2019‑11581 in Atlassian Jira and CVE‑2012‑3152 in Oracle Fusion. After gaining a foothold, the group deploys web shells—including ASPXSpy, Caterpillar 2, Mamad Warning and an open‑source JSP file browser—to maintain persistence and pivot into internal networks. Inside the compromised environment, Lebanese Cedar employs the Explosive RAT malware to conduct data exfiltration, a tool that researchers have tied exclusively to this actor. Operational security lapses, notably the reuse of files and tools across different intrusions, have allowed defenders to fingerprint the group’s activity and trace the campaign to over 250 infected servers globally. These observed tactics, combined with the clear Hezbollah nexus, define Lebanese Cedar as a state‑aligned espionage group focused on telecom sector intelligence.
