Cyber Incident Victim: Vtel Holdings Limited
Date:
Jan 2020
Location:
Israel
Summary
A Hezbollah-affiliated threat actor known as Lebanese Cedar compromised telecommunications and internet service providers across multiple countries, including a Jordanian company, through exploiting vulnerabilities in Atlassian and Oracle systems. The attackers deployed web shells to maintain access and used the Explosive RAT malware to exfiltrate sensitive data from internal networks, targeting customer databases and call records for intelligence gathering. Security researchers attributed the campaign to the group based on tool reuse and operational patterns, identifying over 250 infected servers globally. The intrusion aimed to steal confidential client information and operational documents, leveraging known vulnerabilities in internet-facing infrastructure to breach organizational networks.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
In early 2020, a Hezbollah-affiliated threat actor known as Lebanese Cedar initiated a year-long cyber espionage campaign targeting telecommunications providers and internet service providers across multiple countries, including Jordan. The attackers employed open-source scanning tools to identify internet-exposed servers running unpatched Atlassian Confluence, Atlassian Jira, and Oracle Fusion middleware. They exploited three specific vulnerabilities—CVE-2019-3396 in Confluence, CVE-2019-11581 in Jira, and CVE-2012-3152 in Oracle Fusion—to gain initial access to victim networks. Upon compromising these systems, the group deployed multiple web shells including ASPXSpy, Caterpillar 2, Mamad Warning, and an open-source JSP file browser tool to maintain persistent access. The attackers then pivoted to internal networks where they deployed the Explosive remote access trojan (RAT), a custom malware tool historically exclusive to Lebanese Cedar operations designed for systematic data exfiltration.
Israeli cybersecurity firm ClearSky discovered the campaign during incident response investigations and published findings in January 2021. Researchers identified at least 254 compromised web servers globally, with forensic analysis confirming 135 servers contained identical file hashes matching artifacts from their investigations, indicating tool reuse across targets. The operation primarily sought to harvest sensitive corporate databases and client records, including telecommunications call metadata and subscriber information. ClearSky attributed the activity to Hezbollah's cyber unit through technical indicators including the exclusive use of Explosive RAT and operational patterns consistent with prior Lebanese Cedar intrusions. Victim organizations spanned nine countries with confirmed compromises at major regional providers including Vodafone Egypt, Etisalat UAE, SaudiNet, and US-based Frontier Communications. The campaign's global footprint demonstrated the group's focus on intelligence gathering from critical communications infrastructure operators over an extended operational timeline.