Menu
Browse

Cyber Incident Victim: Jordan Co.

Date:

Jan 2020

Location:

Israel

Summary

Lebanese Cedar, a threat actor linked to Hezbollah's cyber unit, conducted a prolonged intrusion campaign targeting telecommunications and internet service providers across multiple countries. The group exploited unpatched Atlassian Confluence, Jira, and Oracle Fusion servers, deploying web shells such as ASPXSpy, Caterpillar 2, Mamad Warning, and a JSP file browser to establish footholds, then used the Explosive remote access trojan on internal networks to exfiltrate sensitive data including call records and customer databases. Victims included telecom operators such as Vodafone Egypt, Etisalat UAE, SaudiNet, and Frontier Communications, among others in the US, UK, Israel, Saudi Arabia, Lebanon, Jordan, and the Palestinian Authority. Researchers linked the activity to the group through reused files and the distinctive Explosive RAT tool, identifying over 250 compromised servers worldwide.

CIA Posture Motives Tactics, Techniques & Procedures
Available to members 2 motives 1 technique
Threat Actor Type Location
1 actor Available to members Available to members

Description

The article describes a year‑long hacking campaign that began in early 2020 and was uncovered by the Israeli cyber‑security firm Clearsky. Clearsky attributed the intrusions to a Hezbollah‑affiliated threat actor known as Lebanese Cedar. The group scanned the internet for unpatched Atlassian and Oracle servers and exploited vulnerabilities such as CVE‑2019‑3396 in Atlassian Confluence, CVE‑2019‑11581 in Atlassian Jira, and CVE‑2012‑3152 in Oracle Fusion. After gaining access, the attackers deployed web shells including ASPXSpy, Caterpillar 2, Mamad Warning, and an open‑source JSP file browser. On compromised internal networks they used a remote access trojan named Explosive RAT to exfiltrate private documents. Clearsky reported identifying at least 250 compromised web servers worldwide, with 135 sharing the same hash as files found during incident response investigations. The attackers reused files between intrusions, which allowed researchers to fingerprint the activity and link it to Lebanese Cedar. The campaign targeted telecommunication companies and internet service providers across multiple countries.

Cyber Incident Image

The article lists victims such as Vodafone Egypt, Etisalat UAE, SaudiNet in Saudi Arabia, and Frontier Communications in the United States, and notes that the attacks also reached entities in Jordan. No specific organization named “Jordan Co.” is mentioned in the provided source material. Consequently, the article does not contain details about any impact on, or response actions taken by, an entity called Jordan Co. The only information available about Jordan is that it was among the countries where Lebanese Cedar conducted intrusions, without further specifics on individual companies.

Sources
Sources available to members
1 source