Cyber Incident Victim: Frontier Communications
Date:
Jan 2020
Location:
United States of America
Summary
A Hezbollah-affiliated threat actor known as Lebanese Cedar compromised telecommunications providers and ISPs, including Frontier Communications, through a campaign exploiting vulnerabilities in internet-facing Atlassian and Oracle servers. Attackers deployed web shells and the Explosive RAT malware to infiltrate internal networks, exfiltrating sensitive databases containing client records and private data for intelligence purposes. Security researchers attributed the activity to the group based on reused attack tools and infrastructure patterns, identifying over 250 compromised servers globally across multiple countries.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
The incident involving Frontier Communications was part of a broader cyber-espionage campaign conducted by Lebanese Cedar, a threat actor affiliated with Hezbollah's cyber unit. The campaign, active from early 2020 through at least early 2021, targeted telecommunications providers and internet service providers across multiple countries, including the United States. According to cybersecurity firm ClearSky, which discovered and investigated the campaign, attackers initially scanned the internet for unpatched Atlassian Confluence, Atlassian Jira, and Oracle Fusion servers. They exploited known vulnerabilities—CVE-2019-3396, CVE-2019-11581, and CVE-2012-3152—to gain initial access to target networks. After compromising internet-facing servers, the attackers deployed web shells such as ASPXSpy, Caterpillar 2, Mamad Warning, and a JSP file browser tool to maintain persistence. These web shells facilitated lateral movement within internal networks, where the group deployed the Explosive remote access trojan (RAT), a custom malware tool designed for data exfiltration.
ClearSky attributed the campaign to Lebanese Cedar based on the exclusive historical use of Explosive RAT by this group and operational patterns, including reused files across intrusions. The attackers exfiltrated sensitive databases, which likely included telecommunications customer records, call metadata, and private client information. Frontier Communications was among at least 254 compromised servers globally, with 135 servers sharing identical file hashes traced to Lebanese Cedar’s infrastructure. The campaign’s primary objective appeared to be intelligence gathering, with victims spanning the US, UK, Israel, Egypt, Saudi Arabia, Lebanon, Jordan, the Palestinian Authority, and the UAE. ClearSky’s investigation revealed operational security lapses by the attackers, such as reusing identifiable tools and infrastructure, which enabled the firm to map the campaign’s scope and confirm attribution. No specific remediation actions by Frontier were detailed in public reporting, though the disclosure highlighted systemic risks to telecommunications providers from unpatched enterprise systems and advanced persistent threat groups.