Cyber Incident Victim: Jordanian Universities Network L.L.C.
Date:
Jan 2020
Location:
Jordan
Summary
A Hezbollah-affiliated threat actor known as Lebanese Cedar compromised telecommunications and internet service providers, including Jordanian Universities Network, by exploiting vulnerabilities in Atlassian and Oracle servers to deploy web shells and the Explosive RAT malware. The attackers exfiltrated sensitive client databases and private documents, likely targeting intelligence gathering through stolen call records and organizational data. Security researchers attributed the campaign to the group based on tool reuse and operational patterns, identifying over 250 infected servers across multiple countries.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
The incident involving the Jordanian Universities Network L.L.C. occurred within a broader cyber espionage campaign conducted by the Hezbollah-affiliated threat actor Lebanese Cedar, active from early 2020 through at least January 2021. The campaign targeted telecommunications providers and internet service providers across multiple countries, including Jordan, as identified by Israeli cybersecurity firm ClearSky. Attackers initiated operations by scanning the internet for vulnerable servers running unpatched Atlassian Confluence, Atlassian Jira, and Oracle Fusion middleware. They exploited known vulnerabilities—CVE-2019-3396 in Confluence, CVE-2019-11581 in Jira, and CVE-2012-3152 in Oracle Fusion—to gain initial access to external-facing systems. Upon compromise, the group deployed web shells such as ASPXSpy, Caterpillar 2, Mamad Warning, and an open-source JSP file browser tool to establish persistent access. These web shells facilitated further lateral movement into internal networks, where attackers deployed the Explosive remote access trojan (RAT), a custom malware tool historically exclusive to Lebanese Cedar. The RAT enabled data exfiltration from compromised environments.
ClearSky attributed the campaign to Lebanese Cedar based on technical evidence, including the exclusive use of Explosive RAT and operational patterns such as reused files across intrusions. Researchers identified 254 infected servers globally, with 135 sharing identical file hashes, confirming widespread targeting. The attackers’ primary objective was intelligence gathering and theft of sensitive databases, including telecommunications customer records and private client data. While specific impacts on Jordanian Universities Network L.L.C. were not detailed in public reporting, the broader campaign’s consequences included potential exposure of call records, personally identifiable information, and internal corporate documents. ClearSky’s investigation revealed the group’s operational security lapses, including tool reuse and insufficient obfuscation of attack artifacts, which enabled attribution and global tracking of the campaign. No mitigation or containment actions by victim organizations were described in the available reporting.