Menu
Browse

Cyber Incident Victim: Jordan Co.

Date:

Jan 2020

Location:

Israel

Summary

Lebanese Cedar, a threat actor linked to Hezbollah's cyber unit, conducted a hacking campaign against telecom and ISP operators worldwide, exploiting unpatched Atlassian and Oracle servers with known vulnerabilities to install web shells and gain persistent access. Using tools such as ASPXSpy, Caterpillar 2, Mamad Warning, JSP file browser, and the Explosive RAT, the group exfiltrated sensitive data including call records and private documents from victims like Vodafone Egypt, Etisalat UAE, SaudiNet, and Frontier Communications, affecting multiple sectors and countries.

CIA Posture Motives Tactics, Techniques & Procedures
Available to members 1 motive 1 technique
Threat Actor Type Location
1 actor Available to members Available to members

Description

The hacking campaign attributed to the Hezbollah‑affiliated group Lebanese Cedar began in early 2020 and continued for approximately one year before being detected. Israeli cyber‑security firm Clearsky discovered the intrusions and published a report on January 28 2021 detailing the activity. According to the report, Lebanese Cedar operators used open‑source scanners to locate unpatched Atlassian and Oracle servers exposed on the internet. Once a vulnerable host was found, they exploited known flaws such as CVE‑2019‑3396 in Atlassian Confluence, CVE‑2019‑11581 in Atlassian Jira, and CVE‑2012‑3152 in Oracle Fusion to gain initial access. After compromising the servers, the attackers deployed web shells including ASPXSpy, Caterpillar 2, Mamad Warning, and an open‑source JSP file browser to maintain persistence.

Cyber Incident Image

The primary objective of the intrusions was to gather intelligence and exfiltrate sensitive data from the compromised organizations. In telecommunications firms, this included accessing databases that held call records and private customer information. Inside the victims’ internal networks, the group installed the Explosive remote access trojan (RAT), a tool previously linked exclusively to Lebanese Cedar, to facilitate data theft. The campaign affected telecom and internet‑service providers across multiple countries, namely the United States, the United Kingdom, Israel, Egypt, Saudi Arabia, Lebanon, Jordan, the Palestinian Authority, and the United Arab Emirates. While the report highlights specific victims such as Vodafone Egypt, Etisalat UAE, SaudiNet, and Frontier Communications, it also confirms that Jordanian entities were among the compromised targets. In total, Clearsky identified at least 250 web servers that had been hacked, later refining the count to 254 infected servers worldwide, with 135 of those servers sharing the same file hash as artifacts observed during incident‑response investigations.

Clearsky’s researchers traced the global operation by noting repeated reuse of files and tools between separate intrusions, which allowed them to fingerprint the Lebanese Cedar APT and correlate attacks by sector and geography. The presence of the Explosive RAT on compromised internal networks served as a key indicator linking the activity to Hezbollah’s cyber unit, as the malware had not been observed in use by other threat actors. Through this analysis, the security firm was able to map the scope of the campaign, detail the attack chain from initial scanning to web‑shell deployment and RAT‑based exfiltration, and provide a timeline that began in early 2020 and culminated in the January 2021 disclosure. The findings were shared with the affected organizations and relevant authorities to support further investigation and remediation.

Sources
Sources available to members
1 source