Cyber Incident Victim: Hadara
Date:
Jan 2020
Location:
Israel
Summary
A Hezbollah-affiliated threat actor known as Lebanese Cedar conducted a cyber espionage campaign targeting telecommunications providers and internet service providers across multiple countries. The group exploited vulnerabilities in internet-facing Atlassian and Oracle systems, deploying web shells to establish persistence and subsequently infiltrating internal networks to exfiltrate sensitive data, including client databases and call records. Attackers utilized tools such as ASPXSpy, Caterpillar 2, and the proprietary Explosive RAT, with victim organizations spanning the US, UK, Middle East, and North Africa, including Vodafone Egypt, Etisalat UAE, SaudiNet, and Frontier Communications. Operational security lapses, including file reuse across intrusions, enabled attribution to the group.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
The Hezbollah-affiliated threat actor known as Lebanese Cedar conducted a year-long cyber espionage campaign beginning in early 2020, targeting telecommunications providers and internet service providers across multiple countries. The group exploited publicly known vulnerabilities in internet-facing systems, specifically focusing on unpatched Atlassian and Oracle servers. Attack vectors included CVE-2019-3396 in Atlassian Confluence, CVE-2019-11581 in Atlassian Jira, and CVE-2012-3152 in Oracle Fusion Middleware. Upon successful exploitation, operators deployed multiple web shells including ASPXSpy, Caterpillar 2, Mamad Warning, and an open-source JSP file browser tool to maintain persistent access. The initial compromises served as entry points for lateral movement into corporate internal networks, where attackers deployed the Explosive remote access trojan (RAT), a customized malware previously exclusive to Lebanese Cedar operations. This tool facilitated systematic data exfiltration from victim environments, with attackers targeting sensitive corporate databases and customer records.
Israeli cybersecurity firm ClearSky discovered the campaign during incident response investigations and subsequently tracked 254 compromised web servers globally. Technical analysis revealed operational security failures, including file reuse across multiple intrusions, enabling attribution through identical file hashes observed in 135 servers. The attacks impacted organizations in the United States, United Kingdom, Israel, Egypt, Saudi Arabia, Lebanon, Jordan, Palestinian Authority, and United Arab Emirates, with confirmed victims including Vodafone Egypt, Etisalat UAE, SaudiNet, and US-based Frontier Communications. ClearSky's report indicated the primary objective was intelligence collection, specifically targeting telecommunications customer databases containing call records and personally identifiable information. No mitigation actions by victims or law enforcement were detailed in the reporting, though the disclosure provided technical indicators enabling network defenders to identify compromised systems.