Cyber Incident Victim: Mobily
Date:
Jan 2020
Location:
Saudi Arabia
Summary
A Hezbollah-affiliated threat actor known as Lebanese Cedar compromised telecommunications providers and ISPs across multiple countries, including Saudi Arabia, by exploiting vulnerabilities in internet-facing Atlassian and Oracle systems. The attackers deployed web shells like ASPXSpy and the custom Explosive RAT malware to infiltrate internal networks, exfiltrating sensitive databases containing customer call records and private information for intelligence gathering. Security researchers attributed the campaign to the group through reused attack tools and operational patterns observed across over 250 compromised servers globally.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
The incident attributed to the Lebanese Cedar group, a cyber unit affiliated with Hezbollah, commenced in early 2020 and persisted for approximately one year before being uncovered by Israeli cybersecurity firm ClearSky. Attackers employed open-source scanning tools to identify internet-exposed Atlassian and Oracle servers with unpatched vulnerabilities, including CVE-2019-3396 in Atlassian Confluence, CVE-2019-11581 in Atlassian Jira, and CVE-2012-3152 in Oracle Fusion Middleware. Following initial exploitation, the threat actors deployed multiple web shells—including ASPXSpy, Caterpillar 2, Mamad Warning, and a modified JSP file browser—to establish persistent access. These compromised servers served as entry points for lateral movement into corporate internal networks, where attackers deployed the Explosive remote access trojan (RAT), a custom malware historically exclusive to Lebanese Cedar operations. The RAT facilitated systematic data exfiltration, targeting sensitive databases containing customer call records and private client information from telecommunications providers and internet service providers.
ClearSky's investigation identified 254 compromised web servers across multiple countries, with forensic analysis confirming 135 servers shared identical file hashes observed during incident response engagements. Victims included telecommunications operators such as Vodafone Egypt, Etisalat UAE, SaudiNet in Saudi Arabia, and Frontier Communications in the United States. The campaign's primary objective centered on intelligence collection, with attackers exfiltrating corporate databases and confidential documents. Operational security lapses by the threat actors—including tool reuse and consistent file artifacts across intrusions—enabled ClearSky to attribute the activity to Lebanese Cedar with high confidence. The firm's report documented the compromise timeline, attacker methodologies, and geographic distribution of victims but did not disclose specific containment measures implemented by affected organizations beyond the discovery process. Data theft from telecommunications providers raised concerns regarding potential exposure of subscriber communications metadata and personally identifiable information.